On Sunday 11 Dec 2011 23:23:20 Tom Eastep wrote:
>
> I'm unable to reproduce this failure; my kernel doesn't support
> AUDIT_TARGET but the rest are detected properly.
>
> Please look at the code in detect_capabilities() (lib.cli) and try one
> of the failing cases manually. If that works, then I'd like to see
> traces of the command on both releases.
>
> Thanks,
> -Tom
Tom
I have attached traces for both releases.
From the traces it seems that 4.4.27 is using /sbin/iptables instead of
/usr/local/sbin/iptables.
I have also attached a copy of my shorewall.conf.
Steven.
+ [ 1 -gt 1 ]
+ determine_capabilities
+ [ -n /usr/local/sbin/iptables ]
+ [ -z /usr/local/sbin/iptables ]
+ [ ip = ip -o -z ip ]
+ which ip
+ IP=/sbin/ip
+ [ -n /sbin/ip -a -x /sbin/ip ]
+ [ tc = tc -o -z tc ]
+ which tc
+ TC=/sbin/tc
+ [ -n /sbin/tc -a -x /sbin/tc ]
+ qt /usr/local/sbin/iptables -t nat -L -n
+ /usr/local/sbin/iptables -t nat -L -n
+ NAT_ENABLED=Yes
+ qt /usr/local/sbin/iptables -t mangle -L -n
+ /usr/local/sbin/iptables -t mangle -L -n
+ MANGLE_ENABLED=Yes
+ CONNTRACK_MATCH=
+ NEW_CONNTRACK_MATCH=
+ OLD_CONNTRACK_MATCH=
+ MULTIPORT=
+ XMULTIPORT=
+ POLICY_MATCH=
+ PHYSDEV_MATCH=
+ PHYSDEV_BRIDGE=
+ IPRANGE_MATCH=
+ RECENT_MATCH=
+ OWNER_MATCH=
+ IPSET_MATCH=
+ OLD_IPSET_MATCH=
+ IPSET_V5=
+ CONNMARK=
+ XCONNMARK=
+ CONNMARK_MATCH=
+ XCONNMARK_MATCH=
+ RAW_TABLE=
+ RAWPOST_TABLE=
+ IPP2P_MATCH=
+ OLD_IPP2P_MATCH=
+ LENGTH_MATCH=
+ CLASSIFY_TARGET=
+ ENHANCED_REJECT=
+ USEPKTTYPE=
+ KLUDGEFREE=
+ MARK=
+ XMARK=
+ EXMARK=
+ TPROXY_TARGET=
+ MANGLE_FORWARD=
+ COMMENTS=
+ ADDRTYPE=
+ TCPMSS_MATCH=
+ HASHLIMIT_MATCH=
+ NFQUEUE_TARGET=
+ REALM_MATCH=
+ HELPER_MATCH=
+ CONNLIMIT_MATCH=
+ TIME_MATCH=
+ GOTO_TARGET=
+ LOGMARK_TARGET=
+ IPMARK_TARGET=
+ LOG_TARGET=Yes
+ ULOG_TARGET=
+ NFLOG_TARGET=
+ PERSISTENT_SNAT=
+ FLOW_FILTER=
+ FWMARK_RT_MASK=
+ MARK_ANYWHERE=
+ HEADER_MATCH=
+ ACCOUNT_TARGET=
+ AUDIT_TARGET=
+ CONDITION_MATCH=
+ IPTABLES_S=
+ BASIC_FILTER=
+ chain=fooX10163
+ [ -n Yes ]
+ qt /usr/local/sbin/iptables -t nat -N fooX10163
+ /usr/local/sbin/iptables -t nat -N fooX10163
+ qt /usr/local/sbin/iptables -t nat -A fooX10163 -j SNAT --to-source 1.2.3.4
--persistent
+ /usr/local/sbin/iptables -t nat -A fooX10163 -j SNAT --to-source 1.2.3.4
--persistent
+ PERSISTENT_SNAT=Yes
+ qt /usr/local/sbin/iptables -t nat -F fooX10163
+ /usr/local/sbin/iptables -t nat -F fooX10163
+ qt /usr/local/sbin/iptables -t nat -X fooX10163
+ /usr/local/sbin/iptables -t nat -X fooX10163
+ qt /usr/local/sbin/iptables -F fooX10163
+ /usr/local/sbin/iptables -F fooX10163
+ qt /usr/local/sbin/iptables -X fooX10163
+ /usr/local/sbin/iptables -X fooX10163
+ /usr/local/sbin/iptables -N fooX10163
+ chain1=fooX101631
+ qt /usr/local/sbin/iptables -F fooX101631
+ /usr/local/sbin/iptables -F fooX101631
+ qt /usr/local/sbin/iptables -X fooX101631
+ /usr/local/sbin/iptables -X fooX101631
+ /usr/local/sbin/iptables -N fooX101631
+ qt /usr/local/sbin/iptables -A fooX10163 -m state --state ESTABLISHED,RELATED
-j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m state --state ESTABLISHED,RELATED -j
ACCEPT
+ qt /usr/local/sbin/iptables -A fooX10163 -m conntrack --ctorigdst 192.168.1.1
-j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m conntrack --ctorigdst 192.168.1.1 -j
ACCEPT
+ CONNTRACK_MATCH=Yes
+ [ -n Yes ]
+ qt /usr/local/sbin/iptables -A fooX10163 -m conntrack -p tcp --ctorigdstport
22 -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m conntrack -p tcp --ctorigdstport 22
-j ACCEPT
+ NEW_CONNTRACK_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m conntrack ! --ctorigdst 1.2.3.4
+ /usr/local/sbin/iptables -A fooX10163 -m conntrack ! --ctorigdst 1.2.3.4
+ qt /usr/local/sbin/iptables -A fooX10163 -p tcp -m multiport --dports 21,22
-j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -p tcp -m multiport --dports 21,22 -j
ACCEPT
+ MULTIPORT=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -p tcp -m multiport --sports 60 -m
multiport --dports 99 -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -p tcp -m multiport --sports 60 -m
multiport --dports 99 -j ACCEPT
+ KLUDEFREE=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -p tcp -m multiport --dports 21:22
-j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -p tcp -m multiport --dports 21:22 -j
ACCEPT
+ XMULTIPORT=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m policy --pol ipsec --mode tunnel
--dir in -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m policy --pol ipsec --mode tunnel
--dir in -j ACCEPT
+ POLICY_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m physdev --physdev-out eth0 -j
ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m physdev --physdev-out eth0 -j ACCEPT
+ PHYSDEV_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m physdev --physdev-is-bridged
--physdev-in eth0 --physdev-out eth0 -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m physdev --physdev-is-bridged
--physdev-in eth0 --physdev-out eth0 -j ACCEPT
+ PHYSDEV_BRIDGE=Yes
+ [ -z ]
+ qt /usr/local/sbin/iptables -A fooX10163 -m physdev --physdev-in eth0 -m
physdev --physdev-out eth0 -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m physdev --physdev-in eth0 -m physdev
--physdev-out eth0 -j ACCEPT
+ KLUDGEFREE=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m iprange --src-range
192.168.1.5-192.168.1.124 -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m iprange --src-range
192.168.1.5-192.168.1.124 -j ACCEPT
+ IPRANGE_MATCH=Yes
+ [ -z Yes ]
+ qt /usr/local/sbin/iptables -A fooX10163 -m recent --update -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m recent --update -j ACCEPT
+ RECENT_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m owner --uid-owner 0 -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m owner --uid-owner 0 -j ACCEPT
+ OWNER_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m connmark --mark 2 -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m connmark --mark 2 -j ACCEPT
+ CONNMARK_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m connmark --mark 2/0xFF -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m connmark --mark 2/0xFF -j ACCEPT
+ XCONNMARK_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -p tcp -m ipp2p --edk -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -p tcp -m ipp2p --edk -j ACCEPT
+ IPP2P_MATCH=Yes
+ [ -n Yes ]
+ qt /usr/local/sbin/iptables -A fooX10163 -p tcp -m ipp2p --ipp2p -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -p tcp -m ipp2p --ipp2p -j ACCEPT
+ qt /usr/local/sbin/iptables -A fooX10163 -m length --length 10:20 -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m length --length 10:20 -j ACCEPT
+ LENGTH_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -j REJECT --reject-with
icmp-host-prohibited
+ /usr/local/sbin/iptables -A fooX10163 -j REJECT --reject-with
icmp-host-prohibited
+ ENHANCED_REJECT=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -j ACCEPT -m comment --comment This
is a comment
+ /usr/local/sbin/iptables -A fooX10163 -j ACCEPT -m comment --comment This is
a comment
+ COMMENTS=Yes
+ [ -n Yes ]
+ qt /usr/local/sbin/iptables -t mangle -N fooX10163
+ /usr/local/sbin/iptables -t mangle -N fooX10163
+ qt /usr/local/sbin/iptables -t mangle -A fooX10163 -j MARK --set-mark 1
+ /usr/local/sbin/iptables -t mangle -A fooX10163 -j MARK --set-mark 1
+ MARK=Yes
+ qt /usr/local/sbin/iptables -t mangle -A fooX10163 -j MARK --and-mark 0xFF
+ /usr/local/sbin/iptables -t mangle -A fooX10163 -j MARK --and-mark 0xFF
+ XMARK=Yes
+ qt /usr/local/sbin/iptables -t mangle -A fooX10163 -j MARK --set-mark 1/0xFF
+ /usr/local/sbin/iptables -t mangle -A fooX10163 -j MARK --set-mark 1/0xFF
+ EXMARK=Yes
+ qt /usr/local/sbin/iptables -t mangle -A fooX10163 -j CONNMARK --save-mark
+ /usr/local/sbin/iptables -t mangle -A fooX10163 -j CONNMARK --save-mark
+ CONNMARK=Yes
+ qt /usr/local/sbin/iptables -t mangle -A fooX10163 -j CONNMARK --save-mark
--mask 0xFF
+ /usr/local/sbin/iptables -t mangle -A fooX10163 -j CONNMARK --save-mark
--mask 0xFF
+ XCONNMARK=Yes
+ qt /usr/local/sbin/iptables -t mangle -A fooX10163 -j CLASSIFY --set-class 1:1
+ /usr/local/sbin/iptables -t mangle -A fooX10163 -j CLASSIFY --set-class 1:1
+ CLASSIFY_TARGET=Yes
+ qt /usr/local/sbin/iptables -t mangle -A fooX10163 -j IPMARK --addr src
+ /usr/local/sbin/iptables -t mangle -A fooX10163 -j IPMARK --addr src
+ IPMARK_TARGET=Yes
+ qt /usr/local/sbin/iptables -t mangle -A fooX10163 -p tcp -j TPROXY --on-port
0 --tproxy-mark 1
+ /usr/local/sbin/iptables -t mangle -A fooX10163 -p tcp -j TPROXY --on-port 0
--tproxy-mark 1
+ TPROXY_TARGET=Yes
+ qt /usr/local/sbin/iptables -t mangle -F fooX10163
+ /usr/local/sbin/iptables -t mangle -F fooX10163
+ qt /usr/local/sbin/iptables -t mangle -X fooX10163
+ /usr/local/sbin/iptables -t mangle -X fooX10163
+ qt /usr/local/sbin/iptables -t mangle -L FORWARD -n
+ /usr/local/sbin/iptables -t mangle -L FORWARD -n
+ MANGLE_FORWARD=Yes
+ qt /usr/local/sbin/iptables -t raw -L -n
+ /usr/local/sbin/iptables -t raw -L -n
+ RAW_TABLE=Yes
+ qt /usr/local/sbin/iptables -t rawpost -L -n
+ /usr/local/sbin/iptables -t rawpost -L -n
+ RAWPOST_TABLE=Yes
+ qt mywhich ipset
+ mywhich ipset
+ qt ipset -X fooX10163
+ ipset -X fooX10163
+ local have_ipset
+ qt ipset -N fooX10163 hash:ip family inet
+ ipset -N fooX10163 hash:ip family inet
+ IPSET_V5=Yes
+ have_ipset=Yes
+ [ -n Yes ]
+ qt /usr/local/sbin/iptables -A fooX10163 -m set --match-set fooX10163 src -j
ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m set --match-set fooX10163 src -j
ACCEPT
+ qt /usr/local/sbin/iptables -D fooX10163 -m set --match-set fooX10163 src -j
ACCEPT
+ /usr/local/sbin/iptables -D fooX10163 -m set --match-set fooX10163 src -j
ACCEPT
+ IPSET_MATCH=Yes
+ qt ipset -X fooX10163
+ ipset -X fooX10163
+ qt /usr/local/sbin/iptables -A fooX10163 -m pkttype --pkt-type broadcast -j
ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m pkttype --pkt-type broadcast -j
ACCEPT
+ USEPKTTYPE=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m addrtype --src-type BROADCAST -j
ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m addrtype --src-type BROADCAST -j
ACCEPT
+ ADDRTYPE=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -p tcp --tcp-flags SYN,RST SYN -m
tcpmss --mss 1000:1500 -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -p tcp --tcp-flags SYN,RST SYN -m
tcpmss --mss 1000:1500 -j ACCEPT
+ TCPMSS_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m hashlimit --hashlimit-upto 4
--hashlimit-burst 5 --hashlimit-name fooX10163 --hashlimit-mode dstip -j ACCEPT
+ /usr/local/sbin/iptables -A fooX10163 -m hashlimit --hashlimit-upto 4
--hashlimit-burst 5 --hashlimit-name fooX10163 --hashlimit-mode dstip -j ACCEPT
+ HASHLIMIT_MATCH=Yes
+ [ -z Yes ]
+ qt /usr/local/sbin/iptables -A fooX10163 -j NFQUEUE --queue-num 4
+ /usr/local/sbin/iptables -A fooX10163 -j NFQUEUE --queue-num 4
+ NFQUEUE_TARGET=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m realm --realm 4
+ /usr/local/sbin/iptables -A fooX10163 -m realm --realm 4
+ REALM_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m helper --helper ftp
+ /usr/local/sbin/iptables -A fooX10163 -m helper --helper ftp
+ HELPER_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m connlimit --connlimit-above 8 -j
DROP
+ /usr/local/sbin/iptables -A fooX10163 -m connlimit --connlimit-above 8 -j DROP
+ CONNLIMIT_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m time --timestart 23:00 -j DROP
+ /usr/local/sbin/iptables -A fooX10163 -m time --timestart 23:00 -j DROP
+ TIME_MATCH=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -g fooX101631
+ /usr/local/sbin/iptables -A fooX10163 -g fooX101631
+ GOTO_TARGET=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -j LOGMARK
+ /usr/local/sbin/iptables -A fooX10163 -j LOGMARK
+ LOGMARK_TARGET=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -j LOG
+ /usr/local/sbin/iptables -A fooX10163 -j LOG
+ qt /usr/local/sbin/iptables -A fooX10163 -j ULOG
+ /usr/local/sbin/iptables -A fooX10163 -j ULOG
+ ULOG_TARGET=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -j NFLOG
+ /usr/local/sbin/iptables -A fooX10163 -j NFLOG
+ NFLOG_TARGET=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -j MARK --set-mark 5
+ /usr/local/sbin/iptables -A fooX10163 -j MARK --set-mark 5
+ MARK_ANYWHERE=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -j ACCOUNT --addr 192.168.1.0/29
--tname fooX10163
+ /usr/local/sbin/iptables -A fooX10163 -j ACCOUNT --addr 192.168.1.0/29
--tname fooX10163
+ ACCOUNT_TARGET=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -j AUDIT --type drop
+ /usr/local/sbin/iptables -A fooX10163 -j AUDIT --type drop
+ AUDIT_TARGET=Yes
+ qt /usr/local/sbin/iptables -A fooX10163 -m condition --condition foo
+ /usr/local/sbin/iptables -A fooX10163 -m condition --condition foo
+ CONDITION_MATCH=Yes
+ qt /usr/local/sbin/iptables -S INPUT
+ /usr/local/sbin/iptables -S INPUT
+ IPTABLES_S=Yes
+ qt /usr/local/sbin/iptables -F fooX10163
+ /usr/local/sbin/iptables -F fooX10163
+ qt /usr/local/sbin/iptables -X fooX10163
+ /usr/local/sbin/iptables -X fooX10163
+ qt /usr/local/sbin/iptables -F fooX101631
+ /usr/local/sbin/iptables -F fooX101631
+ qt /usr/local/sbin/iptables -X fooX101631
+ /usr/local/sbin/iptables -X fooX101631
+ [ -n /sbin/tc ]
+ grep -q ^Usage
+ /sbin/tc filter add flow help
+ FLOW_FILTER=Yes
+ [ -n /sbin/tc ]
+ grep -q ^Usage
+ /sbin/tc filter add basic help
+ BASIC_FILTER=Yes
+ [ -n /sbin/ip ]
+ grep -q /MASK
+ /sbin/ip rule add help
+ FWMARK_RT_MASK=Yes
+ CAPVERSION=40426
+ sed -e s/-.*//
+ uname -r
+ KERNELVERSION=3.0
+ sed -e s/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g
+ echo 3.0
+ printf %d%02d00 3 0
+ KERNELVERSION=30000
+ VERBOSITY=2
+ [ -n Yes ]
+ report_capabilities1
+ echo #
#
+ date
+ echo # Shorewall 4.4.26-RC2 detected the following iptables/netfilter
capabilities - Sun Dec 11 23:54:52 GMT 2011
# Shorewall 4.4.26-RC2 detected the following iptables/netfilter capabilities -
Sun Dec 11 23:54:52 GMT 2011
+ echo #
#
+ report_capability1 NAT_ENABLED
+ eval echo NAT_ENABLED=$NAT_ENABLED
+ echo NAT_ENABLED=Yes
NAT_ENABLED=Yes
+ report_capability1 MANGLE_ENABLED
+ eval echo MANGLE_ENABLED=$MANGLE_ENABLED
+ echo MANGLE_ENABLED=Yes
MANGLE_ENABLED=Yes
+ report_capability1 MULTIPORT
+ eval echo MULTIPORT=$MULTIPORT
+ echo MULTIPORT=Yes
MULTIPORT=Yes
+ report_capability1 XMULTIPORT
+ eval echo XMULTIPORT=$XMULTIPORT
+ echo XMULTIPORT=Yes
XMULTIPORT=Yes
+ report_capability1 CONNTRACK_MATCH
+ eval echo CONNTRACK_MATCH=$CONNTRACK_MATCH
+ echo CONNTRACK_MATCH=Yes
CONNTRACK_MATCH=Yes
+ report_capability1 NEW_CONNTRACK_MATCH
+ eval echo NEW_CONNTRACK_MATCH=$NEW_CONNTRACK_MATCH
+ echo NEW_CONNTRACK_MATCH=Yes
NEW_CONNTRACK_MATCH=Yes
+ report_capability1 OLD_CONNTRACK_MATCH
+ eval echo OLD_CONNTRACK_MATCH=$OLD_CONNTRACK_MATCH
+ echo OLD_CONNTRACK_MATCH=
OLD_CONNTRACK_MATCH=
+ report_capability1 USEPKTTYPE
+ eval echo USEPKTTYPE=$USEPKTTYPE
+ echo USEPKTTYPE=Yes
USEPKTTYPE=Yes
+ report_capability1 POLICY_MATCH
+ eval echo POLICY_MATCH=$POLICY_MATCH
+ echo POLICY_MATCH=Yes
POLICY_MATCH=Yes
+ report_capability1 PHYSDEV_MATCH
+ eval echo PHYSDEV_MATCH=$PHYSDEV_MATCH
+ echo PHYSDEV_MATCH=Yes
PHYSDEV_MATCH=Yes
+ report_capability1 PHYSDEV_BRIDGE
+ eval echo PHYSDEV_BRIDGE=$PHYSDEV_BRIDGE
+ echo PHYSDEV_BRIDGE=Yes
PHYSDEV_BRIDGE=Yes
+ report_capability1 LENGTH_MATCH
+ eval echo LENGTH_MATCH=$LENGTH_MATCH
+ echo LENGTH_MATCH=Yes
LENGTH_MATCH=Yes
+ report_capability1 IPRANGE_MATCH
+ eval echo IPRANGE_MATCH=$IPRANGE_MATCH
+ echo IPRANGE_MATCH=Yes
IPRANGE_MATCH=Yes
+ report_capability1 RECENT_MATCH
+ eval echo RECENT_MATCH=$RECENT_MATCH
+ echo RECENT_MATCH=Yes
RECENT_MATCH=Yes
+ report_capability1 OWNER_MATCH
+ eval echo OWNER_MATCH=$OWNER_MATCH
+ echo OWNER_MATCH=Yes
OWNER_MATCH=Yes
+ report_capability1 IPSET_MATCH
+ eval echo IPSET_MATCH=$IPSET_MATCH
+ echo IPSET_MATCH=Yes
IPSET_MATCH=Yes
+ report_capability1 OLD_IPSET_MATCH
+ eval echo OLD_IPSET_MATCH=$OLD_IPSET_MATCH
+ echo OLD_IPSET_MATCH=
OLD_IPSET_MATCH=
+ report_capability1 CONNMARK
+ eval echo CONNMARK=$CONNMARK
+ echo CONNMARK=Yes
CONNMARK=Yes
+ report_capability1 XCONNMARK
+ eval echo XCONNMARK=$XCONNMARK
+ echo XCONNMARK=Yes
XCONNMARK=Yes
+ report_capability1 CONNMARK_MATCH
+ eval echo CONNMARK_MATCH=$CONNMARK_MATCH
+ echo CONNMARK_MATCH=Yes
CONNMARK_MATCH=Yes
+ report_capability1 XCONNMARK_MATCH
+ eval echo XCONNMARK_MATCH=$XCONNMARK_MATCH
+ echo XCONNMARK_MATCH=Yes
XCONNMARK_MATCH=Yes
+ report_capability1 RAW_TABLE
+ eval echo RAW_TABLE=$RAW_TABLE
+ echo RAW_TABLE=Yes
RAW_TABLE=Yes
+ report_capability1 RAWPOST_TABLE
+ eval echo RAWPOST_TABLE=$RAWPOST_TABLE
+ echo RAWPOST_TABLE=Yes
RAWPOST_TABLE=Yes
+ report_capability1 IPP2P_MATCH
+ eval echo IPP2P_MATCH=$IPP2P_MATCH
+ echo IPP2P_MATCH=Yes
IPP2P_MATCH=Yes
+ report_capability1 OLD_IPP2P_MATCH
+ eval echo OLD_IPP2P_MATCH=$OLD_IPP2P_MATCH
+ echo OLD_IPP2P_MATCH=
OLD_IPP2P_MATCH=
+ report_capability1 CLASSIFY_TARGET
+ eval echo CLASSIFY_TARGET=$CLASSIFY_TARGET
+ echo CLASSIFY_TARGET=Yes
CLASSIFY_TARGET=Yes
+ report_capability1 ENHANCED_REJECT
+ eval echo ENHANCED_REJECT=$ENHANCED_REJECT
+ echo ENHANCED_REJECT=Yes
ENHANCED_REJECT=Yes
+ report_capability1 KLUDGEFREE
+ eval echo KLUDGEFREE=$KLUDGEFREE
+ echo KLUDGEFREE=Yes
KLUDGEFREE=Yes
+ report_capability1 MARK
+ eval echo MARK=$MARK
+ echo MARK=Yes
MARK=Yes
+ report_capability1 XMARK
+ eval echo XMARK=$XMARK
+ echo XMARK=Yes
XMARK=Yes
+ report_capability1 EXMARK
+ eval echo EXMARK=$EXMARK
+ echo EXMARK=Yes
EXMARK=Yes
+ report_capability1 MANGLE_FORWARD
+ eval echo MANGLE_FORWARD=$MANGLE_FORWARD
+ echo MANGLE_FORWARD=Yes
MANGLE_FORWARD=Yes
+ report_capability1 COMMENTS
+ eval echo COMMENTS=$COMMENTS
+ echo COMMENTS=Yes
COMMENTS=Yes
+ report_capability1 ADDRTYPE
+ eval echo ADDRTYPE=$ADDRTYPE
+ echo ADDRTYPE=Yes
ADDRTYPE=Yes
+ report_capability1 TCPMSS_MATCH
+ eval echo TCPMSS_MATCH=$TCPMSS_MATCH
+ echo TCPMSS_MATCH=Yes
TCPMSS_MATCH=Yes
+ report_capability1 HASHLIMIT_MATCH
+ eval echo HASHLIMIT_MATCH=$HASHLIMIT_MATCH
+ echo HASHLIMIT_MATCH=Yes
HASHLIMIT_MATCH=Yes
+ report_capability1 OLD_HL_MATCH
+ eval echo OLD_HL_MATCH=$OLD_HL_MATCH
+ echo OLD_HL_MATCH=
OLD_HL_MATCH=
+ report_capability1 NFQUEUE_TARGET
+ eval echo NFQUEUE_TARGET=$NFQUEUE_TARGET
+ echo NFQUEUE_TARGET=Yes
NFQUEUE_TARGET=Yes
+ report_capability1 REALM_MATCH
+ eval echo REALM_MATCH=$REALM_MATCH
+ echo REALM_MATCH=Yes
REALM_MATCH=Yes
+ report_capability1 HELPER_MATCH
+ eval echo HELPER_MATCH=$HELPER_MATCH
+ echo HELPER_MATCH=Yes
HELPER_MATCH=Yes
+ report_capability1 CONNLIMIT_MATCH
+ eval echo CONNLIMIT_MATCH=$CONNLIMIT_MATCH
+ echo CONNLIMIT_MATCH=Yes
CONNLIMIT_MATCH=Yes
+ report_capability1 TIME_MATCH
+ eval echo TIME_MATCH=$TIME_MATCH
+ echo TIME_MATCH=Yes
TIME_MATCH=Yes
+ report_capability1 GOTO_TARGET
+ eval echo GOTO_TARGET=$GOTO_TARGET
+ echo GOTO_TARGET=Yes
GOTO_TARGET=Yes
+ report_capability1 LOGMARK_TARGET
+ eval echo LOGMARK_TARGET=$LOGMARK_TARGET
+ echo LOGMARK_TARGET=Yes
LOGMARK_TARGET=Yes
+ report_capability1 IPMARK_TARGET
+ eval echo IPMARK_TARGET=$IPMARK_TARGET
+ echo IPMARK_TARGET=Yes
IPMARK_TARGET=Yes
+ report_capability1 LOG_TARGET
+ eval echo LOG_TARGET=$LOG_TARGET
+ echo LOG_TARGET=Yes
LOG_TARGET=Yes
+ report_capability1 ULOG_TARGET
+ eval echo ULOG_TARGET=$ULOG_TARGET
+ echo ULOG_TARGET=Yes
ULOG_TARGET=Yes
+ report_capability1 NFLOG_TARGET
+ eval echo NFLOG_TARGET=$NFLOG_TARGET
+ echo NFLOG_TARGET=Yes
NFLOG_TARGET=Yes
+ report_capability1 PERSISTENT_SNAT
+ eval echo PERSISTENT_SNAT=$PERSISTENT_SNAT
+ echo PERSISTENT_SNAT=Yes
PERSISTENT_SNAT=Yes
+ report_capability1 TPROXY_TARGET
+ eval echo TPROXY_TARGET=$TPROXY_TARGET
+ echo TPROXY_TARGET=Yes
TPROXY_TARGET=Yes
+ report_capability1 FLOW_FILTER
+ eval echo FLOW_FILTER=$FLOW_FILTER
+ echo FLOW_FILTER=Yes
FLOW_FILTER=Yes
+ report_capability1 FWMARK_RT_MASK
+ eval echo FWMARK_RT_MASK=$FWMARK_RT_MASK
+ echo FWMARK_RT_MASK=Yes
FWMARK_RT_MASK=Yes
+ report_capability1 MARK_ANYWHERE
+ eval echo MARK_ANYWHERE=$MARK_ANYWHERE
+ echo MARK_ANYWHERE=Yes
MARK_ANYWHERE=Yes
+ report_capability1 HEADER_MATCH
+ eval echo HEADER_MATCH=$HEADER_MATCH
+ echo HEADER_MATCH=
HEADER_MATCH=
+ report_capability1 ACCOUNT_TARGET
+ eval echo ACCOUNT_TARGET=$ACCOUNT_TARGET
+ echo ACCOUNT_TARGET=Yes
ACCOUNT_TARGET=Yes
+ report_capability1 AUDIT_TARGET
+ eval echo AUDIT_TARGET=$AUDIT_TARGET
+ echo AUDIT_TARGET=Yes
AUDIT_TARGET=Yes
+ report_capability1 IPSET_V5
+ eval echo IPSET_V5=$IPSET_V5
+ echo IPSET_V5=Yes
IPSET_V5=Yes
+ report_capability1 CONDITION_MATCH
+ eval echo CONDITION_MATCH=$CONDITION_MATCH
+ echo CONDITION_MATCH=Yes
CONDITION_MATCH=Yes
+ report_capability1 IPTABLES_S
+ eval echo IPTABLES_S=$IPTABLES_S
+ echo IPTABLES_S=Yes
IPTABLES_S=Yes
+ report_capability1 BASIC_FILTER
+ eval echo BASIC_FILTER=$BASIC_FILTER
+ echo BASIC_FILTER=Yes
BASIC_FILTER=Yes
+ echo CAPVERSION=40426
CAPVERSION=40426
+ echo KERNELVERSION=30000
KERNELVERSION=30000
+ [ 1 -gt 1 ]
+ determine_capabilities
+ local tool
+ local chain
+ local chain1
+ [ 4 -eq 4 ]
+ tool=iptables
+ mywhich iptables
+ local dir
+ split /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+ local ifs
+ ifs=
+ IFS=:
+ echo /sbin /bin /usr/sbin /usr/bin /usr/local/bin /usr/local/sbin
+ IFS=
+ [ -x /sbin/iptables ]
+ echo /sbin/iptables
+ return 0
+ g_tool=/sbin/iptables
+ [ -z /sbin/iptables ]
+ qt /sbin/iptables -t nat -L -n
+ /sbin/iptables -t nat -L -n
+ NAT_ENABLED=Yes
+ qt /sbin/iptables -t mangle -L -n
+ /sbin/iptables -t mangle -L -n
+ MANGLE_ENABLED=Yes
+ [ ip = ip -o -z ip ]
+ which ip
+ IP=/sbin/ip
+ [ -n /sbin/ip -a -x /sbin/ip ]
+ [ tc = tc -o -z tc ]
+ which tc
+ TC=/sbin/tc
+ [ -n /sbin/tc -a -x /sbin/tc ]
+ CONNTRACK_MATCH=
+ NEW_CONNTRACK_MATCH=
+ OLD_CONNTRACK_MATCH=
+ MULTIPORT=
+ XMULTIPORT=
+ POLICY_MATCH=
+ PHYSDEV_MATCH=
+ PHYSDEV_BRIDGE=
+ IPRANGE_MATCH=
+ RECENT_MATCH=
+ OWNER_MATCH=
+ IPSET_MATCH=
+ OLD_IPSET_MATCH=
+ IPSET_V5=
+ CONNMARK=
+ XCONNMARK=
+ CONNMARK_MATCH=
+ XCONNMARK_MATCH=
+ RAW_TABLE=
+ RAWPOST_TABLE=
+ IPP2P_MATCH=
+ OLD_IPP2P_MATCH=
+ LENGTH_MATCH=
+ CLASSIFY_TARGET=
+ ENHANCED_REJECT=
+ USEPKTTYPE=
+ KLUDGEFREE=
+ MARK=
+ XMARK=
+ EXMARK=
+ TPROXY_TARGET=
+ MANGLE_FORWARD=
+ COMMENTS=
+ ADDRTYPE=
+ TCPMSS_MATCH=
+ HASHLIMIT_MATCH=
+ NFQUEUE_TARGET=
+ REALM_MATCH=
+ HELPER_MATCH=
+ CONNLIMIT_MATCH=
+ TIME_MATCH=
+ GOTO_TARGET=
+ LOGMARK_TARGET=
+ IPMARK_TARGET=
+ LOG_TARGET=Yes
+ ULOG_TARGET=
+ NFLOG_TARGET=
+ PERSISTENT_SNAT=
+ FLOW_FILTER=
+ FWMARK_RT_MASK=
+ MARK_ANYWHERE=
+ HEADER_MATCH=
+ ACCOUNT_TARGET=
+ AUDIT_TARGET=
+ CONDITION_MATCH=
+ IPTABLES_S=
+ BASIC_FILTER=
+ CT_TARGET=
+ chain=fooX8904
+ [ -n Yes ]
+ qt /sbin/iptables -t nat -N fooX8904
+ /sbin/iptables -t nat -N fooX8904
+ qt /sbin/iptables -t nat -A fooX8904 -j SNAT --to-source 1.2.3.4 --persistent
+ /sbin/iptables -t nat -A fooX8904 -j SNAT --to-source 1.2.3.4 --persistent
+ PERSISTENT_SNAT=Yes
+ qt /sbin/iptables -t nat -F fooX8904
+ /sbin/iptables -t nat -F fooX8904
+ qt /sbin/iptables -t nat -X fooX8904
+ /sbin/iptables -t nat -X fooX8904
+ qt /sbin/iptables -F fooX8904
+ /sbin/iptables -F fooX8904
+ qt /sbin/iptables -X fooX8904
+ /sbin/iptables -X fooX8904
+ /sbin/iptables -N fooX8904
+ chain1=fooX89041
+ qt /sbin/iptables -F fooX89041
+ /sbin/iptables -F fooX89041
+ qt /sbin/iptables -X fooX89041
+ /sbin/iptables -X fooX89041
+ /sbin/iptables -N fooX89041
+ qt /sbin/iptables -A fooX8904 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/iptables -A fooX8904 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ [ 4 -eq 4 ]
+ qt /sbin/iptables -A fooX8904 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
+ /sbin/iptables -A fooX8904 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT
+ CONNTRACK_MATCH=Yes
+ [ -n Yes ]
+ qt /sbin/iptables -A fooX8904 -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT
+ /sbin/iptables -A fooX8904 -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT
+ NEW_CONNTRACK_MATCH=Yes
+ [ 4 -eq 4 ]
+ qt /sbin/iptables -A fooX8904 -m conntrack ! --ctorigdst 1.2.3.4
+ /sbin/iptables -A fooX8904 -m conntrack ! --ctorigdst 1.2.3.4
+ qt /sbin/iptables -A fooX8904 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ /sbin/iptables -A fooX8904 -p tcp -m multiport --dports 21,22 -j ACCEPT
+ MULTIPORT=Yes
+ qt /sbin/iptables -A fooX8904 -p tcp -m multiport --sports 60 -m multiport
--dports 99 -j ACCEPT
+ /sbin/iptables -A fooX8904 -p tcp -m multiport --sports 60 -m multiport
--dports 99 -j ACCEPT
+ KLUDEFREE=Yes
+ qt /sbin/iptables -A fooX8904 -p tcp -m multiport --dports 21:22 -j ACCEPT
+ /sbin/iptables -A fooX8904 -p tcp -m multiport --dports 21:22 -j ACCEPT
+ XMULTIPORT=Yes
+ qt /sbin/iptables -A fooX8904 -m policy --pol ipsec --mode tunnel --dir in -j
ACCEPT
+ /sbin/iptables -A fooX8904 -m policy --pol ipsec --mode tunnel --dir in -j
ACCEPT
+ POLICY_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -m physdev --physdev-out eth0 -j ACCEPT
+ /sbin/iptables -A fooX8904 -m physdev --physdev-out eth0 -j ACCEPT
+ PHYSDEV_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -m physdev --physdev-is-bridged --physdev-in
eth0 --physdev-out eth0 -j ACCEPT
+ /sbin/iptables -A fooX8904 -m physdev --physdev-is-bridged --physdev-in eth0
--physdev-out eth0 -j ACCEPT
+ PHYSDEV_BRIDGE=Yes
+ [ -z ]
+ qt /sbin/iptables -A fooX8904 -m physdev --physdev-in eth0 -m physdev
--physdev-out eth0 -j ACCEPT
+ /sbin/iptables -A fooX8904 -m physdev --physdev-in eth0 -m physdev
--physdev-out eth0 -j ACCEPT
+ KLUDGEFREE=Yes
+ [ 4 -eq 4 ]
+ qt /sbin/iptables -A fooX8904 -m iprange --src-range
192.168.1.5-192.168.1.124 -j ACCEPT
+ /sbin/iptables -A fooX8904 -m iprange --src-range 192.168.1.5-192.168.1.124
-j ACCEPT
+ IPRANGE_MATCH=Yes
+ [ -z Yes ]
+ qt /sbin/iptables -A fooX8904 -m recent --update -j ACCEPT
+ /sbin/iptables -A fooX8904 -m recent --update -j ACCEPT
+ RECENT_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -m owner --uid-owner 0 -j ACCEPT
+ /sbin/iptables -A fooX8904 -m owner --uid-owner 0 -j ACCEPT
+ OWNER_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -m connmark --mark 2 -j ACCEPT
+ /sbin/iptables -A fooX8904 -m connmark --mark 2 -j ACCEPT
+ CONNMARK_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -m connmark --mark 2/0xFF -j ACCEPT
+ /sbin/iptables -A fooX8904 -m connmark --mark 2/0xFF -j ACCEPT
+ XCONNMARK_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -p tcp -m ipp2p --edk -j ACCEPT
+ /sbin/iptables -A fooX8904 -p tcp -m ipp2p --edk -j ACCEPT
+ [ -n ]
+ qt /sbin/iptables -A fooX8904 -m length --length 10:20 -j ACCEPT
+ /sbin/iptables -A fooX8904 -m length --length 10:20 -j ACCEPT
+ LENGTH_MATCH=Yes
+ [ 4 -eq 4 ]
+ qt /sbin/iptables -A fooX8904 -j REJECT --reject-with icmp-host-prohibited
+ /sbin/iptables -A fooX8904 -j REJECT --reject-with icmp-host-prohibited
+ ENHANCED_REJECT=Yes
+ qt /sbin/iptables -A fooX8904 -j ACCEPT -m comment --comment This is a comment
+ /sbin/iptables -A fooX8904 -j ACCEPT -m comment --comment This is a comment
+ COMMENTS=Yes
+ [ -n Yes ]
+ qt /sbin/iptables -t mangle -N fooX8904
+ /sbin/iptables -t mangle -N fooX8904
+ qt /sbin/iptables -t mangle -A fooX8904 -j MARK --set-mark 1
+ /sbin/iptables -t mangle -A fooX8904 -j MARK --set-mark 1
+ MARK=Yes
+ qt /sbin/iptables -t mangle -A fooX8904 -j MARK --and-mark 0xFF
+ /sbin/iptables -t mangle -A fooX8904 -j MARK --and-mark 0xFF
+ XMARK=Yes
+ qt /sbin/iptables -t mangle -A fooX8904 -j MARK --set-mark 1/0xFF
+ /sbin/iptables -t mangle -A fooX8904 -j MARK --set-mark 1/0xFF
+ EXMARK=Yes
+ qt /sbin/iptables -t mangle -A fooX8904 -j CONNMARK --save-mark
+ /sbin/iptables -t mangle -A fooX8904 -j CONNMARK --save-mark
+ CONNMARK=Yes
+ qt /sbin/iptables -t mangle -A fooX8904 -j CONNMARK --save-mark --mask 0xFF
+ /sbin/iptables -t mangle -A fooX8904 -j CONNMARK --save-mark --mask 0xFF
+ XCONNMARK=Yes
+ qt /sbin/iptables -t mangle -A fooX8904 -j CLASSIFY --set-class 1:1
+ /sbin/iptables -t mangle -A fooX8904 -j CLASSIFY --set-class 1:1
+ CLASSIFY_TARGET=Yes
+ qt /sbin/iptables -t mangle -A fooX8904 -j IPMARK --addr src
+ /sbin/iptables -t mangle -A fooX8904 -j IPMARK --addr src
+ qt /sbin/iptables -t mangle -A fooX8904 -p tcp -j TPROXY --on-port 0
--tproxy-mark 1
+ /sbin/iptables -t mangle -A fooX8904 -p tcp -j TPROXY --on-port 0
--tproxy-mark 1
+ TPROXY_TARGET=Yes
+ qt /sbin/iptables -t mangle -F fooX8904
+ /sbin/iptables -t mangle -F fooX8904
+ qt /sbin/iptables -t mangle -X fooX8904
+ /sbin/iptables -t mangle -X fooX8904
+ qt /sbin/iptables -t mangle -L FORWARD -n
+ /sbin/iptables -t mangle -L FORWARD -n
+ MANGLE_FORWARD=Yes
+ qt /sbin/iptables -t raw -L -n
+ /sbin/iptables -t raw -L -n
+ RAW_TABLE=Yes
+ qt /sbin/iptables -t rawpost -L -n
+ /sbin/iptables -t rawpost -L -n
+ RAWPOST_TABLE=Yes
+ [ -n Yes ]
+ qt /sbin/iptables -t raw -N fooX8904
+ /sbin/iptables -t raw -N fooX8904
+ qt /sbin/iptables -t raw -A fooX8904 -j CT --notrack
+ /sbin/iptables -t raw -A fooX8904 -j CT --notrack
+ CT_TARGET=Yes
+ qt /sbin/iptables -t raw -N fooX8904
+ /sbin/iptables -t raw -N fooX8904
+ qt /sbin/iptables -t raw -F fooX8904
+ /sbin/iptables -t raw -F fooX8904
+ qt /sbin/iptables -t raw -X fooX8904
+ /sbin/iptables -t raw -X fooX8904
+ qt mywhich ipset
+ mywhich ipset
+ qt ipset -X fooX8904
+ ipset -X fooX8904
+ local have_ipset
+ [ 4 -eq 4 ]
+ qt ipset -N fooX8904 hash:ip family inet
+ ipset -N fooX8904 hash:ip family inet
+ IPSET_V5=Yes
+ have_ipset=Yes
+ [ -n Yes ]
+ qt /sbin/iptables -A fooX8904 -m set --match-set fooX8904 src -j ACCEPT
+ /sbin/iptables -A fooX8904 -m set --match-set fooX8904 src -j ACCEPT
+ qt /sbin/iptables -D fooX8904 -m set --match-set fooX8904 src -j ACCEPT
+ /sbin/iptables -D fooX8904 -m set --match-set fooX8904 src -j ACCEPT
+ IPSET_MATCH=Yes
+ qt ipset -X fooX8904
+ ipset -X fooX8904
+ qt /sbin/iptables -A fooX8904 -m pkttype --pkt-type broadcast -j ACCEPT
+ /sbin/iptables -A fooX8904 -m pkttype --pkt-type broadcast -j ACCEPT
+ USEPKTTYPE=Yes
+ qt /sbin/iptables -A fooX8904 -m addrtype --src-type BROADCAST -j ACCEPT
+ /sbin/iptables -A fooX8904 -m addrtype --src-type BROADCAST -j ACCEPT
+ ADDRTYPE=Yes
+ qt /sbin/iptables -A fooX8904 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
1000:1500 -j ACCEPT
+ /sbin/iptables -A fooX8904 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
1000:1500 -j ACCEPT
+ TCPMSS_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -m hashlimit --hashlimit-upto 4
--hashlimit-burst 5 --hashlimit-name fooX8904 --hashlimit-mode dstip -j ACCEPT
+ /sbin/iptables -A fooX8904 -m hashlimit --hashlimit-upto 4 --hashlimit-burst
5 --hashlimit-name fooX8904 --hashlimit-mode dstip -j ACCEPT
+ HASHLIMIT_MATCH=Yes
+ [ -z Yes ]
+ qt /sbin/iptables -A fooX8904 -j NFQUEUE --queue-num 4
+ /sbin/iptables -A fooX8904 -j NFQUEUE --queue-num 4
+ NFQUEUE_TARGET=Yes
+ qt /sbin/iptables -A fooX8904 -m realm --realm 4
+ /sbin/iptables -A fooX8904 -m realm --realm 4
+ REALM_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -m helper --helper ftp
+ /sbin/iptables -A fooX8904 -m helper --helper ftp
+ HELPER_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -m connlimit --connlimit-above 8 -j DROP
+ /sbin/iptables -A fooX8904 -m connlimit --connlimit-above 8 -j DROP
+ CONNLIMIT_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -m time --timestart 23:00 -j DROP
+ /sbin/iptables -A fooX8904 -m time --timestart 23:00 -j DROP
+ TIME_MATCH=Yes
+ qt /sbin/iptables -A fooX8904 -g fooX89041
+ /sbin/iptables -A fooX8904 -g fooX89041
+ GOTO_TARGET=Yes
+ qt /sbin/iptables -A fooX8904 -j LOGMARK
+ /sbin/iptables -A fooX8904 -j LOGMARK
+ qt /sbin/iptables -A fooX8904 -j LOG
+ /sbin/iptables -A fooX8904 -j LOG
+ qt /sbin/iptables -A fooX8904 -j ULOG
+ /sbin/iptables -A fooX8904 -j ULOG
+ ULOG_TARGET=Yes
+ qt /sbin/iptables -A fooX8904 -j NFLOG
+ /sbin/iptables -A fooX8904 -j NFLOG
+ NFLOG_TARGET=Yes
+ qt /sbin/iptables -A fooX8904 -j MARK --set-mark 5
+ /sbin/iptables -A fooX8904 -j MARK --set-mark 5
+ MARK_ANYWHERE=Yes
+ [ 4 -eq 4 ]
+ qt /sbin/iptables -A fooX8904 -j ACCOUNT --addr 192.168.1.0/29 --tname
fooX8904
+ /sbin/iptables -A fooX8904 -j ACCOUNT --addr 192.168.1.0/29 --tname fooX8904
+ qt /sbin/iptables -A fooX8904 -j AUDIT --type drop
+ /sbin/iptables -A fooX8904 -j AUDIT --type drop
+ qt /sbin/iptables -A fooX8904 -m condition --condition foo
+ /sbin/iptables -A fooX8904 -m condition --condition foo
+ qt /sbin/iptables -S INPUT
+ /sbin/iptables -S INPUT
+ IPTABLES_S=Yes
+ qt /sbin/iptables -F fooX8904
+ /sbin/iptables -F fooX8904
+ qt /sbin/iptables -X fooX8904
+ /sbin/iptables -X fooX8904
+ qt /sbin/iptables -F fooX89041
+ /sbin/iptables -F fooX89041
+ qt /sbin/iptables -X fooX89041
+ /sbin/iptables -X fooX89041
+ [ -n /sbin/tc ]
+ grep -q ^Usage
+ /sbin/tc filter add flow help
+ FLOW_FILTER=Yes
+ [ -n /sbin/tc ]
+ grep -q ^Usage
+ /sbin/tc filter add basic help
+ BASIC_FILTER=Yes
+ [ -n /sbin/ip ]
+ grep -q /MASK
+ /sbin/ip rule add help
+ FWMARK_RT_MASK=Yes
+ CAPVERSION=40427
+ sed -e s/-.*//
+ uname -r
+ KERNELVERSION=3.0
+ sed -e s/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g
+ echo 3.0
+ printf %d%02d00 3 0
+ KERNELVERSION=30000
+ VERBOSITY=2
+ [ -n Yes ]
+ report_capabilities1
+ echo #
#
+ date
+ echo # Shorewall 4.4.27-Beta2 detected the following iptables/netfilter
capabilities - Sun Dec 11 23:44:14 GMT 2011
# Shorewall 4.4.27-Beta2 detected the following iptables/netfilter capabilities
- Sun Dec 11 23:44:14 GMT 2011
+ echo #
#
+ report_capability1 NAT_ENABLED
+ eval echo NAT_ENABLED=$NAT_ENABLED
+ echo NAT_ENABLED=Yes
NAT_ENABLED=Yes
+ report_capability1 MANGLE_ENABLED
+ eval echo MANGLE_ENABLED=$MANGLE_ENABLED
+ echo MANGLE_ENABLED=Yes
MANGLE_ENABLED=Yes
+ report_capability1 MULTIPORT
+ eval echo MULTIPORT=$MULTIPORT
+ echo MULTIPORT=Yes
MULTIPORT=Yes
+ report_capability1 XMULTIPORT
+ eval echo XMULTIPORT=$XMULTIPORT
+ echo XMULTIPORT=Yes
XMULTIPORT=Yes
+ report_capability1 CONNTRACK_MATCH
+ eval echo CONNTRACK_MATCH=$CONNTRACK_MATCH
+ echo CONNTRACK_MATCH=Yes
CONNTRACK_MATCH=Yes
+ report_capability1 NEW_CONNTRACK_MATCH
+ eval echo NEW_CONNTRACK_MATCH=$NEW_CONNTRACK_MATCH
+ echo NEW_CONNTRACK_MATCH=Yes
NEW_CONNTRACK_MATCH=Yes
+ report_capability1 OLD_CONNTRACK_MATCH
+ eval echo OLD_CONNTRACK_MATCH=$OLD_CONNTRACK_MATCH
+ echo OLD_CONNTRACK_MATCH=
OLD_CONNTRACK_MATCH=
+ report_capability1 USEPKTTYPE
+ eval echo USEPKTTYPE=$USEPKTTYPE
+ echo USEPKTTYPE=Yes
USEPKTTYPE=Yes
+ report_capability1 POLICY_MATCH
+ eval echo POLICY_MATCH=$POLICY_MATCH
+ echo POLICY_MATCH=Yes
POLICY_MATCH=Yes
+ report_capability1 PHYSDEV_MATCH
+ eval echo PHYSDEV_MATCH=$PHYSDEV_MATCH
+ echo PHYSDEV_MATCH=Yes
PHYSDEV_MATCH=Yes
+ report_capability1 PHYSDEV_BRIDGE
+ eval echo PHYSDEV_BRIDGE=$PHYSDEV_BRIDGE
+ echo PHYSDEV_BRIDGE=Yes
PHYSDEV_BRIDGE=Yes
+ report_capability1 LENGTH_MATCH
+ eval echo LENGTH_MATCH=$LENGTH_MATCH
+ echo LENGTH_MATCH=Yes
LENGTH_MATCH=Yes
+ report_capability1 IPRANGE_MATCH
+ eval echo IPRANGE_MATCH=$IPRANGE_MATCH
+ echo IPRANGE_MATCH=Yes
IPRANGE_MATCH=Yes
+ report_capability1 RECENT_MATCH
+ eval echo RECENT_MATCH=$RECENT_MATCH
+ echo RECENT_MATCH=Yes
RECENT_MATCH=Yes
+ report_capability1 OWNER_MATCH
+ eval echo OWNER_MATCH=$OWNER_MATCH
+ echo OWNER_MATCH=Yes
OWNER_MATCH=Yes
+ report_capability1 IPSET_MATCH
+ eval echo IPSET_MATCH=$IPSET_MATCH
+ echo IPSET_MATCH=Yes
IPSET_MATCH=Yes
+ report_capability1 OLD_IPSET_MATCH
+ eval echo OLD_IPSET_MATCH=$OLD_IPSET_MATCH
+ echo OLD_IPSET_MATCH=
OLD_IPSET_MATCH=
+ report_capability1 CONNMARK
+ eval echo CONNMARK=$CONNMARK
+ echo CONNMARK=Yes
CONNMARK=Yes
+ report_capability1 XCONNMARK
+ eval echo XCONNMARK=$XCONNMARK
+ echo XCONNMARK=Yes
XCONNMARK=Yes
+ report_capability1 CONNMARK_MATCH
+ eval echo CONNMARK_MATCH=$CONNMARK_MATCH
+ echo CONNMARK_MATCH=Yes
CONNMARK_MATCH=Yes
+ report_capability1 XCONNMARK_MATCH
+ eval echo XCONNMARK_MATCH=$XCONNMARK_MATCH
+ echo XCONNMARK_MATCH=Yes
XCONNMARK_MATCH=Yes
+ report_capability1 RAW_TABLE
+ eval echo RAW_TABLE=$RAW_TABLE
+ echo RAW_TABLE=Yes
RAW_TABLE=Yes
+ report_capability1 RAWPOST_TABLE
+ eval echo RAWPOST_TABLE=$RAWPOST_TABLE
+ echo RAWPOST_TABLE=Yes
RAWPOST_TABLE=Yes
+ report_capability1 IPP2P_MATCH
+ eval echo IPP2P_MATCH=$IPP2P_MATCH
+ echo IPP2P_MATCH=
IPP2P_MATCH=
+ report_capability1 OLD_IPP2P_MATCH
+ eval echo OLD_IPP2P_MATCH=$OLD_IPP2P_MATCH
+ echo OLD_IPP2P_MATCH=
OLD_IPP2P_MATCH=
+ report_capability1 CLASSIFY_TARGET
+ eval echo CLASSIFY_TARGET=$CLASSIFY_TARGET
+ echo CLASSIFY_TARGET=Yes
CLASSIFY_TARGET=Yes
+ report_capability1 ENHANCED_REJECT
+ eval echo ENHANCED_REJECT=$ENHANCED_REJECT
+ echo ENHANCED_REJECT=Yes
ENHANCED_REJECT=Yes
+ report_capability1 KLUDGEFREE
+ eval echo KLUDGEFREE=$KLUDGEFREE
+ echo KLUDGEFREE=Yes
KLUDGEFREE=Yes
+ report_capability1 MARK
+ eval echo MARK=$MARK
+ echo MARK=Yes
MARK=Yes
+ report_capability1 XMARK
+ eval echo XMARK=$XMARK
+ echo XMARK=Yes
XMARK=Yes
+ report_capability1 EXMARK
+ eval echo EXMARK=$EXMARK
+ echo EXMARK=Yes
EXMARK=Yes
+ report_capability1 MANGLE_FORWARD
+ eval echo MANGLE_FORWARD=$MANGLE_FORWARD
+ echo MANGLE_FORWARD=Yes
MANGLE_FORWARD=Yes
+ report_capability1 COMMENTS
+ eval echo COMMENTS=$COMMENTS
+ echo COMMENTS=Yes
COMMENTS=Yes
+ report_capability1 ADDRTYPE
+ eval echo ADDRTYPE=$ADDRTYPE
+ echo ADDRTYPE=Yes
ADDRTYPE=Yes
+ report_capability1 TCPMSS_MATCH
+ eval echo TCPMSS_MATCH=$TCPMSS_MATCH
+ echo TCPMSS_MATCH=Yes
TCPMSS_MATCH=Yes
+ report_capability1 HASHLIMIT_MATCH
+ eval echo HASHLIMIT_MATCH=$HASHLIMIT_MATCH
+ echo HASHLIMIT_MATCH=Yes
HASHLIMIT_MATCH=Yes
+ report_capability1 OLD_HL_MATCH
+ eval echo OLD_HL_MATCH=$OLD_HL_MATCH
+ echo OLD_HL_MATCH=
OLD_HL_MATCH=
+ report_capability1 NFQUEUE_TARGET
+ eval echo NFQUEUE_TARGET=$NFQUEUE_TARGET
+ echo NFQUEUE_TARGET=Yes
NFQUEUE_TARGET=Yes
+ report_capability1 REALM_MATCH
+ eval echo REALM_MATCH=$REALM_MATCH
+ echo REALM_MATCH=Yes
REALM_MATCH=Yes
+ report_capability1 HELPER_MATCH
+ eval echo HELPER_MATCH=$HELPER_MATCH
+ echo HELPER_MATCH=Yes
HELPER_MATCH=Yes
+ report_capability1 CONNLIMIT_MATCH
+ eval echo CONNLIMIT_MATCH=$CONNLIMIT_MATCH
+ echo CONNLIMIT_MATCH=Yes
CONNLIMIT_MATCH=Yes
+ report_capability1 TIME_MATCH
+ eval echo TIME_MATCH=$TIME_MATCH
+ echo TIME_MATCH=Yes
TIME_MATCH=Yes
+ report_capability1 GOTO_TARGET
+ eval echo GOTO_TARGET=$GOTO_TARGET
+ echo GOTO_TARGET=Yes
GOTO_TARGET=Yes
+ report_capability1 LOGMARK_TARGET
+ eval echo LOGMARK_TARGET=$LOGMARK_TARGET
+ echo LOGMARK_TARGET=
LOGMARK_TARGET=
+ report_capability1 IPMARK_TARGET
+ eval echo IPMARK_TARGET=$IPMARK_TARGET
+ echo IPMARK_TARGET=
IPMARK_TARGET=
+ report_capability1 LOG_TARGET
+ eval echo LOG_TARGET=$LOG_TARGET
+ echo LOG_TARGET=Yes
LOG_TARGET=Yes
+ report_capability1 ULOG_TARGET
+ eval echo ULOG_TARGET=$ULOG_TARGET
+ echo ULOG_TARGET=Yes
ULOG_TARGET=Yes
+ report_capability1 NFLOG_TARGET
+ eval echo NFLOG_TARGET=$NFLOG_TARGET
+ echo NFLOG_TARGET=Yes
NFLOG_TARGET=Yes
+ report_capability1 PERSISTENT_SNAT
+ eval echo PERSISTENT_SNAT=$PERSISTENT_SNAT
+ echo PERSISTENT_SNAT=Yes
PERSISTENT_SNAT=Yes
+ report_capability1 TPROXY_TARGET
+ eval echo TPROXY_TARGET=$TPROXY_TARGET
+ echo TPROXY_TARGET=Yes
TPROXY_TARGET=Yes
+ report_capability1 FLOW_FILTER
+ eval echo FLOW_FILTER=$FLOW_FILTER
+ echo FLOW_FILTER=Yes
FLOW_FILTER=Yes
+ report_capability1 FWMARK_RT_MASK
+ eval echo FWMARK_RT_MASK=$FWMARK_RT_MASK
+ echo FWMARK_RT_MASK=Yes
FWMARK_RT_MASK=Yes
+ report_capability1 MARK_ANYWHERE
+ eval echo MARK_ANYWHERE=$MARK_ANYWHERE
+ echo MARK_ANYWHERE=Yes
MARK_ANYWHERE=Yes
+ report_capability1 HEADER_MATCH
+ eval echo HEADER_MATCH=$HEADER_MATCH
+ echo HEADER_MATCH=
HEADER_MATCH=
+ report_capability1 ACCOUNT_TARGET
+ eval echo ACCOUNT_TARGET=$ACCOUNT_TARGET
+ echo ACCOUNT_TARGET=
ACCOUNT_TARGET=
+ report_capability1 AUDIT_TARGET
+ eval echo AUDIT_TARGET=$AUDIT_TARGET
+ echo AUDIT_TARGET=
AUDIT_TARGET=
+ report_capability1 IPSET_V5
+ eval echo IPSET_V5=$IPSET_V5
+ echo IPSET_V5=Yes
IPSET_V5=Yes
+ report_capability1 CONDITION_MATCH
+ eval echo CONDITION_MATCH=$CONDITION_MATCH
+ echo CONDITION_MATCH=
CONDITION_MATCH=
+ report_capability1 IPTABLES_S
+ eval echo IPTABLES_S=$IPTABLES_S
+ echo IPTABLES_S=Yes
IPTABLES_S=Yes
+ report_capability1 BASIC_FILTER
+ eval echo BASIC_FILTER=$BASIC_FILTER
+ echo BASIC_FILTER=Yes
BASIC_FILTER=Yes
+ report_capability1 CT_TARGET
+ eval echo CT_TARGET=$CT_TARGET
+ echo CT_TARGET=Yes
CT_TARGET=Yes
+ echo CAPVERSION=40427
CAPVERSION=40427
+ echo KERNELVERSION=30000
KERNELVERSION=30000
###############################################################################
#
# Shorewall Version 4 -- /etc/shorewall/shorewall.conf
#
# For information about the settings in this file, type "man shorewall.conf"
#
# Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
###############################################################################
# V E R B O S I T Y
###############################################################################
VERBOSITY=1
###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOGLEVEL=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMIT=
MACLIST_LOG_LEVEL=info
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
IPTABLES=/usr/local/sbin/iptables
IP=
IPSET=
MODULESDIR=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTO_COMMENT=Yes
AUTOMAKE=Yes
BLACKLISTNEWONLY=Yes
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No
IP_FORWARDING=On
KEEP_RT_TABLES=No
LEGACY_FASTSTART=Yes
LOAD_HELPERS_ONLY=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=15
OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=No
USE_DEFAULT_RT=No
ZONE2ZONE=2
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
TC_BITS=8
PROVIDER_BITS=8
PROVIDER_OFFSET=0
MASK_BITS=8
ZONE_BITS=0
################################################################################
# L E G A C Y O P T I O N
# D O N O T D E L E T E O R A L T E R
################################################################################
IPSECFILE=zones
------------------------------------------------------------------------------
Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
