On 5/29/11 7:54 AM, Tom Eastep wrote: > On 5/29/11 7:01 AM, Steven Jan Springl wrote: > >> Using kernel 2.6.39, iptables 1.4.10 and xtables-addons 1.35 >> >> The following rules file entry: >> >> ACCEPT $FW lan tcp 22 - - - !root:root >> >> produces the following iptables rule: >> >> -A fw2lan -p 6 --dport 22 -m owner ! --uid-owner root ! --gid-owner root -j >> ACCEPT >> >> Which works. >> After upgrading iptables to 1.4.11 the following iptables-restore error is >> produced: >> >> iptables-restore v1.4.11: owner: option "--uid-owner" cannot be inverted. > > Jan Engelhardt (Netfilter developer) has confirmed that this is an > iptables 1.4.11 bug. > >> >> >> The following tcrules file entry: >> >> IPMARK(dst,-1,-64) $FW eth1 tcp 888 >> >> produces the following iptables rule: >> >> -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr >> dst --and-mask -1 --or-mask -64 --shift 0 >> >> Which works. >> After upgrading to iptables 1.4.11 the following iptables-restore error is >> produced: >> >> iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1" > > The attached patch should catch this one.
I actually prefer this patch. It allows you to specify negative numbers for the masks (which may be helpful) and converts them into 32-bit hex numbers. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index e52fdb8..68aeb80 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -331,18 +331,18 @@ sub process_tc_rule( ) {
if ( defined $m1 && $m1 ne '' ) {
$val = numeric_value ($m1);
fatal_error "Invalid Mask ($m1)" unless defined
$val && $val && $val <= 0xffffffff;
- $mask1 = $m1;
+ $mask1 = in_hex ( $m1 | 0xffffffff );
}
if ( defined $m2 && $m2 ne '' ) {
$val = numeric_value ($m2);
fatal_error "Invalid Mask ($m2)" unless defined
$val && $val <= 0xffffffff;
- $mask2 = $m2;
+ $mask2 = in_hex ( $m2 | 0xffffffff );
}
if ( defined $s ) {
$val = numeric_value ($s);
- fatal_error "Invalid Shift Bits ($s)" unless
defined $val && $val < 128;
+ fatal_error "Invalid Shift Bits ($s)" unless
defined $val && $val >= 0 && $val < 128;
$shift = $s;
}
} else {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
