Re: [Shorewall-devel] Shorewall 4.4.11 Beta 2

Tom Eastep Fri, 02 Jul 2010 12:51:01 -0700

On 7/2/10 12:14 PM, Tom Eastep wrote:
> On 7/2/10 9:23 AM, Steven Jan Springl wrote:
>> Tom
>>
>> If a Shorewall configuration has a zone with type ipsec and a zone with type 
>> vserver and the vserver zone does not have the ipsec option specified in the 
>> hosts file then "shorewall debug start" produces the following error:
>>
>> iptables: Invalid argument. Run `dmesg' for more information.
>>    ERROR: Command "/usr/local/sbin/iptables -A eth0_in -m policy --dir 
>> in --pol none -m policy --dir out --pol none -d 10.0.0.0/24 -j lan2vsr" 
>> Failed
>>
>> dmesg produces the following:
>>
>> xt_policy: output policy not valid in PREROUTING and INPUT
>>
>> A copy of the the Shorewall config is attached.
> 
> Thanks, Steven.
> 
> Please see if the attached patch corrects the problem.


Bogus patch -- please try this one in its place.

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

--- /usr/share/shorewall/Shorewall/Chains.pm    2010-07-02 12:38:19.000000000 
-0700
+++ Shorewall/Chains.pm 2010-07-02 12:36:19.000000000 -0700
@@ -2556,10 +2556,10 @@
     my $zoneref    = find_zone( $zone );
     my $optionsref = $zoneref->{options};
 
-    unless ( $optionsref->{super} ) {
+    unless ( $optionsref->{super} || $zoneref->{type} == VSERVER ) {
        $match = '-m policy --dir in --pol ';
 
-       if ( $zoneref->{type} eq 'ipsec' ) {
+       if ( $zoneref->{type} == IPSEC ) {
            $match .= "ipsec 
$optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
        } elsif ( have_ipsec ) {
            $match .= "$hostref->{ipsec} 
$optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
@@ -2580,10 +2580,10 @@
     my $zoneref    = find_zone( $zone );
     my $optionsref = $zoneref->{options};
 
-    unless ( $optionsref->{super} ) {
+    unless ( $optionsref->{super} || $zoneref->{type} == VSERVER ) {
        $match = '-m policy --dir out --pol ';
 
-       if ( $zoneref->{type} eq 'ipsec' ) {
+       if ( $zoneref->{type} == IPSEC ) {
            $match .= "ipsec 
$optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
        } elsif ( have_ipsec ) {
            $match .= "$hostref->{ipsec} 
$optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Re: [Shorewall-devel] Shorewall 4.4.11 Beta 2

Reply via email to