A bug in iptables
(https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1)
affecting CentOS 7 inhibits the cpu-fanout option in shorewall-rules.
The "--queue-cpu-fanout" should be the last passed to iptables.
Steps to reproduce:
* create a rule using the cpu-fanout option:
NFQUEUE(0:1c,bypass) all+ all+ - - - - - - !0x10/0x10
* restart shorewall
* see the iptables rule (cpu-fanout is missing):
NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0
mark match ! 0x10/0x10 NFQUEUE balance 0:1 bypass
Unfortunately, shorewall is passing options in the order which triggers the bug.
Workaround
* use an INLINE:
INLINE all+ all+ - - - - - - !0x10/0x10; -j NFQUEUE --queue-balance
0:1 --queue-bypass --queue-cpu-fanout
Tentative patch:
- return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
+ return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}${fanout}";
Newer iptables versions work well regardless of the order of the
options (tested on ubuntu).
Bug filed on Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1851944
--
Ciao,
Filippo
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
