On 2/25/2020 7:15 PM, Tom Eastep wrote: > On 2/25/20 4:59 PM, Tom Eastep wrote: >> On 2/25/20 1:31 PM, Tom Eastep wrote: >>> On 2/25/20 1:10 PM, J Cliff Armstrong via Shorewall-users wrote: >>>> On 2/25/2020 11:20 AM, Tom Eastep wrote: >>>>> On 2/24/20 5:11 PM, J Cliff Armstrong via Shorewall-users wrote: >>>>>> Using Shorewall 5.2.3.6, configuration was previously working >>>>>> without issue. Full trace attached. >>>>>> I added the following lines in the NEW section in >>>>>> `/etc/shorewall/rules`: >>>>>>> ?COMMENT Redirect Out #catch leaky DNS queries and redirect >>>>>>> them to our own dns server DNS(REDIRECT) >>>>>>> lan 53 - >>>>>> 53 - !&lan >>>>>>> DNS(REDIRECT) fw 53 - >>>>>>> >>>>>> 53 - !::1 >>>>>> when I ran `shorewall6 check` via sudo I received this: >>>>>>> Checking using Shorewall 5.2.3.6... Processing >>>>>>> /etc/shorewall6/params ... Processing >>>>>>> /etc/shorewall6/shorewall6.conf... Loading Modules... >>>>>>> Checking /etc/shorewall6/zones... Checking >>>>>>> /etc/shorewall6/interfaces... Determining Hosts in Zones... >>>>>>> Locating Action Files... Checking /etc/shorewall6/policy... >>>>>>> Adding rules for DHCP Checking TCP Flags filtering... >>>>>>> Checking Accept Routing Advertisements... Checking MAC >>>>>>> Filtration -- Phase 1... Checking /etc/shorewall6/rules... >>>>>>> ERROR: Internal error in Shorewall::Chains::set_rule_option >>>>>>> at >>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153 >>>>>> /etc/shorewall6/rules (line 52) at >>>>>> /usr/share/shorewall/Shorewall/Config.pm line 1576. >>>>>>> Shorewall::Config::fatal_error("Internal error in >>>>>> Shorewall::Chains::set_rule_option at /usr/"...) called at >>>>>> /usr/share/shorewall/Shorewall/Config.pm line 1619 >>>>>>> Shorewall::Config::assert("") called at >>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153 >>>>>>> Shorewall::Chains::set_rule_option(HASH(0x55beab832f98), >>>>>>> "conntrack", >>>>>> "--ctorigdst ! \$SW_LAN_ADDRESS") called at >>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1266 >>>>>>> Shorewall::Chains::transform_rule("-p 6 --dport 53 -m >>>>>> conntrack --ctorigdstport 53 -m conntrack"..., >>>>>> SCALAR(0x55beaa73ec50)) called at >>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1570 >>>>>>> Shorewall::Chains::push_rule(HASH(0x55beab7f3ce0), "-p 6 >>>>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...) >>>>>> called at /usr/share/shorewall/Shorewall/Chains.pm line 1746 >>>>>>> Shorewall::Chains::add_rule(HASH(0x55beab7f3ce0), "-p 6 >>>>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"..., >>>>>> 1) called at /usr/share/shorewall/Shorewall/Chains.pm line >>>>>> 8257 >>>>>>> Shorewall::Chains::expand_rule1(HASH(0x55beab7f3ce0), 4, "", >>>>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0", >>>>>> "", "!&lan", "ACCEPT", ...) called at >>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 8374 >>>>>>> Shorewall::Chains::expand_rule(HASH(0x55beab7f3ce0), 4, "", >>>>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0", >>>>>> "", "!&lan", "ACCEPT", ...) called at >>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3344 >>>>>>> Shorewall::Rules::process_rule(undef, "", "", "REDIRECT", >>>>>>> "", >>>>>> "lan", 53, "tcp", ...) called at >>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3816 >>>>>>> Shorewall::Rules::process_raw_rule1("REDIRECT", "lan", 53, >>>>>> "tcp,udp", 53, "-", "!&lan", "-", ...) called at >>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3885 >>>>>>> Shorewall::Rules::process_raw_rule() called at >>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3985 >>>>>>> Shorewall::Rules::process_rules() called at >>>>>> /usr/share/shorewall/Shorewall/Compiler.pm line 802 >>>>>>> Shorewall::Compiler::compiler("script", "", "directory", "", >>>>>> "verbosity", 1, "timestamp", 0, ...) called at >>>>>> /usr/share/shorewall/compiler.pl line 137 >>>>>> Creating the REDIRECT rules without using a macro produces the >>>>>> same result. Notably, my IPv4 installation of shorewall has no >>>>>> issue with the same rules. >>>>>> Is there a difference in syntax between shorewall and >>>>>> shorewall6 for REDIRECT rules? I didn't see anything in the >>>>>> documentation specifying such. >>>>> >>>>> >>>>> What is the output of the following two commands? >>>>> >>>>> shorewall show -f capabilities | fgrep CONNTRACK shorewall6 show >>>>> -f capabilities | fgrep CONNTRACK >>>>> >>>>> Also, which kernel version are you running? >>>>> >>>>> Thanks, -Tom >>>> Here you go: >>>>> wolferz@tiphares ~ $ sudo shorewall show -f capabilities | fgrep >>>>> CONNTRACK CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes >>>>> OLD_CONNTRACK_MATCH= wolferz@tiphares ~ $ sudo shorewall6 show -f >>>>> capabilities | fgrep >>>> CONNTRACK >>>>> CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes OLD_CONNTRACK_MATCH= >>>>> wolferz@tiphares ~ $ uname -a Linux tiphares 5.5.5-arch1-1 #1 SMP >>>>> PREEMPT Thu, 20 Feb 2020 18:23:09 >>>> +0000 x86_64 GNU/Linux >>> >>> Okay -- the compiler is mis-detecting the OLD_CONNTRACK_MATCH >>> capability. You can work around this temporarily through using a >>> shorewall6 capabilities file (the CLI correctly detects the capability). >>> >>> I'll have a patch ready later today. >> Here is the patch: >> >> . /usr/share/shorewall/shorewallrc >> cd $PERLLIBDIR/Shorewall >> patch -p4 < path/to/OLD_CONNTRACK_MATCH.patch >> > Here's the patch :-) > > -Tom > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users
Works like a charm, thx. :-) -- - J Cliff Armstrong - AKA JadedDragoon
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users