Howdy y'all,
I'm trying to code the SNPT/DNPT actions to shorewall 5.2.8, and having
some hard time here.,
the message on compile states:
Generating Rule Matrix...
Use of uninitialized value $to in split at
/usr/share/shorewall/Shorewall/Chains.pm line 2774.
Use of uninitialized value $target in hash element at
/usr/share/shorewall/Shorewall/Chains.pm line 2775.
Use of uninitialized value $target in hash element at
/usr/share/shorewall/Shorewall/Chains.pm line 2776.
Use of uninitialized value $to in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Chains.pm line 2776.
ERROR: Unknown rule target () /etc/shorewall6/mangle (EOF)
When looking into -D compile ,
I can see
Locating Action Files...
.......
IN===> DNPT builtin,mangle
IN===> SNPT builtin,mangle
........
Compiling /etc/shorewall6/mangle...
IN===> IP6TABLES(DNPT --src-pfx fd19:b5cb:badc:f0f0::ffff:0/104
--dst-pfx fd19:b5cb:badc:f0f0::/104 ):P vlan36_IF -
NF-(A)-> mangle:tcpre:1 -A tcpre -i lxcbr3a.36
-j DNPT --src-pfx fd19:b5cb:badc:f0f0::ffff:0/104 --dst-pfx
fd19:b5cb:badc:f0f0::/104
IN===> IP6TABLES(SNPT --dst-pfx fd19:b5cb:badc:f0f0::ffff:0/104
--src-pfx fd19:b5cb:badc:f0f0::/104 ):T - vlan36_IF
NF-(A)-> mangle:tcpost:1 -A tcpost -o
lxcbr3a.36 -j SNPT --dst-pfx fd19:b5cb:badc:f0f0::ffff:0/104 --src-pfx
fd19:b5cb:badc:f0f0::/104
......
Generating Rule Matrix...
NF-(N)-> nat:z6ens1_dnat
NF-(N)-> filter:~excl0
NF-(!O4)-> filter:~excl0
NF-(A)-> filter:~excl0:1 -A ~excl0 -d
fd19:b5cb:badc:f0f0::ffff:0/112 -j RETURN
NF-(A)-> filter:~excl0:2 -A ~excl0 -j ACCEPT
SYS----> /sbin/ip6tables -w -F fooX792964
SYS----> /sbin/ip6tables -w -X fooX792964
SYS----> /sbin/ip6tables -w -F foo1X792964
SYS----> /sbin/ip6tables -w -X foo1X792964
SYS----> /sbin/ip6tables -w -t mangle -F fooX792964
SYS----> /sbin/ip6tables -w -t mangle -X fooX792964
SYS----> /sbin/ip6tables -w -t nat -F fooX792964
ip6tables: No chain/target/match by that name.
SYS----> /sbin/ip6tables -w -t nat -X fooX792964
ip6tables: No chain/target/match by that name.
SYS----> /sbin/ip6tables -w -t raw -F fooX792964
SYS----> /sbin/ip6tables -w -t raw -X fooX792964
ERROR: Unknown rule target () /etc/shorewall6/mangle (EOF) at
/usr/share/shorewall/Shorewall/Config.pm line 1612.
Shorewall::Config::fatal_error("Unknown rule target ()") called
at /usr/share/shorewall/Shorewall/Chains.pm line 2776
Shorewall::Chains::add_ijump_internal(HASH(0x55b4269739a8), "j", undef,
0, "", "o", "vlans") called at /usr/share/shorewall/Shorewall/Chains.pm
line 2816
Shorewall::Chains::add_ijump_extended(HASH(0x55b4269739a8), "j", undef,
"", "o", "vlans") called at /usr/share/shorewall/Shorewall/Misc.pm line 1973
Shorewall::Misc::add_output_jumps("z6ens1", "ens1_IF",
HASH(0x55b42697fab0), "::/0", ARRAY(0x55b426982350), undef, "ens1_IF",
"") called at /usr/share/shorewall/Shorewall/Misc.pm line 2344
Shorewall::Misc::generate_matrix() called at
/usr/share/shorewall/Shorewall/Compiler.pm line 860
Shorewall::Compiler::compiler("script",
"/var/lib/shorewall6/firewall", "directory", "", "verbosity", 1,
"timestamp", 0, ...) called at /usr/share/shorewall/compiler.pl line 137
eval() called 5 times
I don't know where i'm doing wrong or what i'm missing.
Thanks in advance,.
And best regards,
Fred
****<<< Files follow >>> ****
root@rnvhost01:/etc/shorewall6# shorewall6 compile
Compiling using Shorewall 5.2.8...
Processing /etc/shorewall6/params ...
Processing /etc/shorewall6/shorewall6.conf...
Loading Modules...
Compiling /etc/shorewall6/zones...
Compiling /etc/shorewall6/interfaces...
Compiling /etc/shorewall6/hosts...
Determining Hosts in Zones...
WARNING: *** z6tun0 is an EMPTY ZONE *** /etc/shorewall6/hosts (EOF)
WARNING: *** z6br0net is an EMPTY ZONE *** /etc/shorewall6/hosts (EOF)
Locating Action Files...
Compiling /etc/shorewall6/policy...
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling MAC Filtration -- Phase 1...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /usr/share/shorewall/action.AllowICMPs for chain AllowICMPs...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Multicast for chain Multicast...
Compiling /etc/shorewall6/mangle...
ERROR: Invalid ACTION (IPTABLES) /etc/shorewall6/mangle (line 15)
root@rnvhost01:/etc/shorewall6# vi mangle
root@rnvhost01:/etc/shorewall6# shorewall6 compile
Compiling using Shorewall 5.2.8...
Processing /etc/shorewall6/params ...
Processing /etc/shorewall6/shorewall6.conf...
Loading Modules...
Compiling /etc/shorewall6/zones...
Compiling /etc/shorewall6/interfaces...
Compiling /etc/shorewall6/hosts...
Determining Hosts in Zones...
WARNING: *** z6tun0 is an EMPTY ZONE *** /etc/shorewall6/hosts (EOF)
WARNING: *** z6br0net is an EMPTY ZONE *** /etc/shorewall6/hosts (EOF)
Locating Action Files...
Compiling /etc/shorewall6/policy...
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling MAC Filtration -- Phase 1...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /usr/share/shorewall/action.AllowICMPs for chain AllowICMPs...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Compiling /usr/share/shorewall/action.Multicast for chain Multicast...
Compiling /etc/shorewall6/mangle...
Generating Rule Matrix...
Use of uninitialized value $to in split at
/usr/share/shorewall/Shorewall/Chains.pm line 2774.
Use of uninitialized value $target in hash element at
/usr/share/shorewall/Shorewall/Chains.pm line 2775.
Use of uninitialized value $target in hash element at
/usr/share/shorewall/Shorewall/Chains.pm line 2776.
Use of uninitialized value $to in concatenation (.) or string at
/usr/share/shorewall/Shorewall/Chains.pm line 2776.
ERROR: Unknown rule target () /etc/shorewall6/mangle (EOF)
root@rnvhost01:/etc/shorewall6# ls -l
total 48
-rw-r--r-- 1 root root 872 nov 24 07:36 action.DNPT
-rw-r--r-- 1 root root 336 nov 19 14:09 actions
-rw-r--r-- 1 root root 873 nov 24 07:37 action.SNPT
-rw-r----- 1 root root 954 jul 23 2024 conntrack
-rw-r--r-- 1 root root 291 nov 19 13:39 hosts
-rw-r--r-- 1 root root 1918 nov 24 07:33 interfaces
-rw-r--r-- 1 root root 920 nov 24 07:38 mangle
-rw-r----- 1 root root 560 jul 23 2024 params
-rw-r--r-- 1 root root 1400 nov 19 14:26 policy
-rw-r--r-- 1 root root 5181 jul 23 2024 shorewall6.conf
-rw-r--r-- 1 root root 899 nov 24 07:09 zones
***
root@rnvhost01:/etc/shorewall6# cat actions
#
# Shorewall6 version 5 - Actions.std File
#
# /usr/share/shorewall6/actions.std
#
# Please see https://shorewall.org/Actions.html for additional
# information.
#
###############################################################################
#ACTION
DNPT builtin,mangle #
SNPT builtin,mangle #
#
****
root@rnvhost01:/etc/shorewall6# cat action.DNPT
#
# Shorewall6 -- /usr/share/shorewall6/action.mangletemplate
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined with the mangle option in /etc/shorewall/actions.
#
# To define a new action:
#
# 1. Add the <action name> to /etc/shorewall6/actions with the mangle option
# 2. Copy this file to /etc/shorewall6/action.<action name>
# 3. Add the desired rules to that file.
#
# Please see https://shorewall.org/Actions.html for additional information.
#
# Columns are the same as in /etc/shorewall6/mangle.
#
############################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT USER
TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
DNPT - - - - -
****
root@rnvhost01:/etc/shorewall6# cat action.SNPT
#
# Shorewall6 -- /usr/share/shorewall6/action.mangletemplate
#
# This file is a template for files with names of the form
# /etc/shorewall/action.<action-name> where <action> is an
# ACTION defined with the mangle option in /etc/shorewall/actions.
#
# To define a new action:
#
# 1. Add the <action name> to /etc/shorewall6/actions with the mangle option
# 2. Copy this file to /etc/shorewall6/action.<action name>
# 3. Add the desired rules to that file.
#
# Please see https://shorewall.org/Actions.html for additional information.
#
# Columns are the same as in /etc/shorewall6/mangle.
#
############################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT USER
TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
SNPT - - - - -
****
root@rnvhost01:/etc/shorewall6# cat policy | grep -v '^$\|^#'
fw all ACCEPT
all fw ACCEPT
z6ens1 all ACCEPT
z6ens1loc all ACCEPT
z6tun0 all ACCEPT
z6br0 all ACCEPT
z6br0net all ACCEPT
z6LXCBR0 all ACCEPT
all z6ens1 ACCEPT
all z6ens1loc ACCEPT
all z6tun0 ACCEPT
all z6br0 ACCEPT
all z6br0net ACCEPT
all z6LXCBR0 ACCEPT
all all REJECT $LOG_LEVEL
*****
root@rnvhost01:/etc/shorewall6# cat hosts
#ZONE HOSTS OPTIONS
z6ens1 ens1_IF:![fd19:b5cb:badc:f0f0::ffff:0/112]
z6ens1loc ens1_IF:[fd19:b5cb:badc:f0f0::ffff:0/112]
#
z6br0 br0_IF:[fd19:b5cb:badc:f0f0::ff:0/112]
# z6br0net br0_IF:!192.168.32.0/22
z6LXCBR0 LXCBR0_IF:[fd19:b5cb:badc:f0f0::c0:5000/107]
***
root@rnvhost01:/etc/shorewall6# cat zones
#
# Shorewall - Sample Zones File for three-interface configuration.
# Copyright (C) 2006-2015 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man shorewall-zones"
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
z6ens1 ipv6
z6ens1loc ipv6
#loc6 ipv6
#dmz6 ipv6
z6tun0 ipv6
#z6lan0 ipv6
#z6bond0 ipv6
z6br0 ipv6
z6br0net ipv6
# z6ens1 ipv6
z6LXCBR0 ipv6
z6lxcbr3 ipv6
z6vlan36 ipv6
****
#
# Shorewall - Sample Interfaces File for three-interface configuration.
# Copyright (C) 2006-2017 by the Shorewall Team
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# See the file README.txt for further details.
#------------------------------------------------------------------------------
# For information about entries in this file, type "man
shorewall-interfaces"
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
#net NET_IF
tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
#loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
#dmz DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
#
- tun0_IF dhcp,physical=tun0
- lan0_IF dhcp,physical=lacp+
#
- ens1_IF unmanaged,physical=vlans
z6vlan36 vlan36_IF physical=lxcbr3a.36
#
- br0_IF dhcp,physical=br0
#
- LXCBR0_IF dhcp,physical=lxcbr0
#
- LXCBR1_IF unmanaged,physical=lxcbr1a
z6lxcbr3 LXCBR3_IF dhcp,physical=lxcbr3a
#
- bond0_IF unmanaged,physical=bond0
- OVS_IF unmanaged,physical=ovsbr0+
root@rnvhost01:/etc/shorewall6#
*****
****
root@rnvhost01:/etc/shorewall6# cat mangle
#
# Shorewall6 -- /etc/shorewall6/mangle
#
# For information about entries in this file, type "man shorewall6-mangle"
#
# See https://shorewall.org/traffic_shaping.htm for additional information.
# For usage in selecting among multiple ISPs, see
# https://shorewall.org/MultiISP.html
#
# See https://shorewall.org/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
#
######################################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT
SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS
PROBABILITY DSCP SWITCH
IP6TABLES(DNPT --src-pfx fd19:b5cb:badc:f0f0::ffff:0/104 --dst-pfx
fd19:b5cb:badc:f0f0::/104 ):P vlan36_IF -
IP6TABLES(SNPT --dst-pfx fd19:b5cb:badc:f0f0::ffff:0/104 --src-pfx
fd19:b5cb:badc:f0f0::/104 ):T - vlan36_IF
***
root@rnvhost01:/etc/shorewall6# grep -v '^$' shorewall6.conf
###############################################################################
#
# Shorewall Version 5 -- /etc/shorewall6/shorewall6.conf
#
# For information about the settings in this file, type "man
shorewall6.conf"
#
# Manpage also online at
# https://shorewall.org/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# P A G E R
###############################################################################
PAGER=
###############################################################################
# F I R E W A L L
###############################################################################
FIREWALL=
###############################################################################
# L O G G I N G
###############################################################################
LOG_LEVEL="info"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="%s %s "
LOGLIMIT="s:1/sec:10"
LOGTAGONLY=No
MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall6-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL=
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
CONFIG_PATH=":${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IP6TABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PERL=/usr/bin/perl
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=No
AUTOMAKE=Yes
BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
CLEAR_TC=No
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=Yes
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=Yes
HELPERS=
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Keep
KEEP_RT_TABLES=Yes
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
MINIUPNPD=No
MUTEX_TIMEOUT=60
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=No
RESTART=restart
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
SAVE_IPSETS=No
TC_ENABLED=Shared
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
SFILTER_DISPOSITION=DROP
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
#LAST LINE -- DO NOT REMOVE
root@rnvhost01:/etc/shorewall6#
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
