On 6/29/20 6:50 AM, Filippo Carletti wrote: > A bug in iptables > (https://git.netfilter.org/iptables/commit/?id=d1555a0906e35ba8d170613d5a43da64e527dbe1) > affecting CentOS 7 inhibits the cpu-fanout option in shorewall-rules. > The "--queue-cpu-fanout" should be the last passed to iptables. > > Steps to reproduce: > * create a rule using the cpu-fanout option: > NFQUEUE(0:1c,bypass) all+ all+ - - - - - - !0x10/0x10 > * restart shorewall > * see the iptables rule (cpu-fanout is missing): > NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 > mark match ! 0x10/0x10 NFQUEUE balance 0:1 bypass > > Unfortunately, shorewall is passing options in the order which triggers the > bug. > > Workaround > * use an INLINE: > INLINE all+ all+ - - - - - - !0x10/0x10; -j NFQUEUE --queue-balance > 0:1 --queue-bypass --queue-cpu-fanout
Note that with Shorewall 5.2, two semicolons (';;') are required.
>
> Tentative patch:
> - return "NFQUEUE --queue-balance
> ${queuenum1}:${queuenum2}${fanout}${bypass}";
> + return "NFQUEUE --queue-balance
> ${queuenum1}:${queuenum2}${bypass}${fanout}";
I'll include this patch in 5.2.6-RC1.
>
> Newer iptables versions work well regardless of the order of the
> options (tested on ubuntu).
>
> Bug filed on Red Hat Bugzilla:
> https://bugzilla.redhat.com/show_bug.cgi?id=1851944
>
Thanks, Filippo.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
