On 2/25/2020 7:15 PM, Tom Eastep wrote:
> On 2/25/20 4:59 PM, Tom Eastep wrote:
>> On 2/25/20 1:31 PM, Tom Eastep wrote:
>>> On 2/25/20 1:10 PM, J Cliff Armstrong via Shorewall-users wrote:
>>>> On 2/25/2020 11:20 AM, Tom Eastep wrote:
>>>>> On 2/24/20 5:11 PM, J Cliff Armstrong via Shorewall-users wrote:
>>>>>> Using Shorewall 5.2.3.6, configuration was previously working
>>>>>> without issue. Full trace attached.
>>>>>> I added the following lines in the NEW section in
>>>>>> `/etc/shorewall/rules`:
>>>>>>> ?COMMENT Redirect Out #catch leaky DNS queries and redirect
>>>>>>> them to our own dns server DNS(REDIRECT)
>>>>>>> lan 53 -
>>>>>> 53 - !&lan
>>>>>>> DNS(REDIRECT) fw 53 -
>>>>>>>
>>>>>> 53 - !::1
>>>>>> when I ran `shorewall6 check` via sudo I received this:
>>>>>>> Checking using Shorewall 5.2.3.6... Processing
>>>>>>> /etc/shorewall6/params ... Processing
>>>>>>> /etc/shorewall6/shorewall6.conf... Loading Modules...
>>>>>>> Checking /etc/shorewall6/zones... Checking
>>>>>>> /etc/shorewall6/interfaces... Determining Hosts in Zones...
>>>>>>> Locating Action Files... Checking /etc/shorewall6/policy...
>>>>>>> Adding rules for DHCP Checking TCP Flags filtering...
>>>>>>> Checking Accept Routing Advertisements... Checking MAC
>>>>>>> Filtration -- Phase 1... Checking /etc/shorewall6/rules...
>>>>>>> ERROR: Internal error in Shorewall::Chains::set_rule_option
>>>>>>> at
>>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153
>>>>>> /etc/shorewall6/rules (line 52) at
>>>>>> /usr/share/shorewall/Shorewall/Config.pm line 1576.
>>>>>>> Shorewall::Config::fatal_error("Internal error in
>>>>>> Shorewall::Chains::set_rule_option at /usr/"...) called at
>>>>>> /usr/share/shorewall/Shorewall/Config.pm line 1619
>>>>>>> Shorewall::Config::assert("") called at
>>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153
>>>>>>> Shorewall::Chains::set_rule_option(HASH(0x55beab832f98),
>>>>>>> "conntrack",
>>>>>> "--ctorigdst ! \$SW_LAN_ADDRESS") called at
>>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1266
>>>>>>> Shorewall::Chains::transform_rule("-p 6 --dport 53 -m
>>>>>> conntrack --ctorigdstport 53 -m conntrack"...,
>>>>>> SCALAR(0x55beaa73ec50)) called at
>>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1570
>>>>>>> Shorewall::Chains::push_rule(HASH(0x55beab7f3ce0), "-p 6
>>>>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...)
>>>>>> called at /usr/share/shorewall/Shorewall/Chains.pm line 1746
>>>>>>> Shorewall::Chains::add_rule(HASH(0x55beab7f3ce0), "-p 6
>>>>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...,
>>>>>> 1) called at /usr/share/shorewall/Shorewall/Chains.pm line
>>>>>> 8257
>>>>>>> Shorewall::Chains::expand_rule1(HASH(0x55beab7f3ce0), 4, "",
>>>>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0",
>>>>>> "", "!&lan", "ACCEPT", ...) called at
>>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 8374
>>>>>>> Shorewall::Chains::expand_rule(HASH(0x55beab7f3ce0), 4, "",
>>>>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0",
>>>>>> "", "!&lan", "ACCEPT", ...) called at
>>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3344
>>>>>>> Shorewall::Rules::process_rule(undef, "", "", "REDIRECT",
>>>>>>> "",
>>>>>> "lan", 53, "tcp", ...) called at
>>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3816
>>>>>>> Shorewall::Rules::process_raw_rule1("REDIRECT", "lan", 53,
>>>>>> "tcp,udp", 53, "-", "!&lan", "-", ...) called at
>>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3885
>>>>>>> Shorewall::Rules::process_raw_rule() called at
>>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3985
>>>>>>> Shorewall::Rules::process_rules() called at
>>>>>> /usr/share/shorewall/Shorewall/Compiler.pm line 802
>>>>>>> Shorewall::Compiler::compiler("script", "", "directory", "",
>>>>>> "verbosity", 1, "timestamp", 0, ...) called at
>>>>>> /usr/share/shorewall/compiler.pl line 137
>>>>>> Creating the REDIRECT rules without using a macro produces the
>>>>>> same result. Notably, my IPv4 installation of shorewall has no
>>>>>> issue with the same rules.
>>>>>> Is there a difference in syntax between shorewall and
>>>>>> shorewall6 for REDIRECT rules? I didn't see anything in the
>>>>>> documentation specifying such.
>>>>>
>>>>>
>>>>> What is the output of the following two commands?
>>>>>
>>>>> shorewall show -f capabilities | fgrep CONNTRACK shorewall6 show
>>>>> -f capabilities | fgrep CONNTRACK
>>>>>
>>>>> Also, which kernel version are you running?
>>>>>
>>>>> Thanks, -Tom
>>>> Here you go:
>>>>> wolferz@tiphares ~ $ sudo shorewall show -f capabilities | fgrep
>>>>> CONNTRACK CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes
>>>>> OLD_CONNTRACK_MATCH= wolferz@tiphares ~ $ sudo shorewall6 show -f
>>>>> capabilities | fgrep
>>>> CONNTRACK
>>>>> CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes OLD_CONNTRACK_MATCH=
>>>>> wolferz@tiphares ~ $ uname -a Linux tiphares 5.5.5-arch1-1 #1 SMP
>>>>> PREEMPT Thu, 20 Feb 2020 18:23:09
>>>> +0000 x86_64 GNU/Linux
>>>
>>> Okay -- the compiler is mis-detecting the OLD_CONNTRACK_MATCH
>>> capability. You can work around this temporarily through using a
>>> shorewall6 capabilities file (the CLI correctly detects the capability).
>>>
>>> I'll have a patch ready later today.
>> Here is the patch:
>>
>> . /usr/share/shorewall/shorewallrc
>> cd $PERLLIBDIR/Shorewall
>> patch -p4 < path/to/OLD_CONNTRACK_MATCH.patch
>>
> Here's the patch :-)
>
> -Tom
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-usersWorks like a charm, thx. :-) -- - J Cliff Armstrong - AKA JadedDragoon
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
