On 06/01/2013 08:37 AM, Tom Eastep wrote: > On 06/01/2013 08:23 AM, Dash Four wrote: >> >> >> Tom Eastep wrote: >>> On 06/01/2013 07:22 AM, Dash Four wrote: >>> >>> >>>> IFLOG is the "inline" equivalent of FLOG, which I have posted before: >>>> >>>> action.FLOG >>>> ~~~~~~~~~~~ >>>> ?IF $1 >>>> NFLOG($1,0,1) >>>> ?ENDIF >>>> ?IF $2 >>>> ?SET @chain $3 ? $3 : " " >>>> ?SET @disposition $4 ? $4 : " " >>>> LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid) >>>> ?END IF >>>> ?IF $5 >>>> $5 >>>> ?END IF >>>> >>>> >>> >>> The above doesn't compile -- ?END IF should be ?ENDIF at the very least. >>> >> Yeah, I did a quick cut-and-paste from one of my previous posts to save >> myself the hassle. >> >>> I have taken the standard two-interface example and modified it as follows: >>> >>> [...] >>> >>> What am I missing? >>> >> Define a loopback zone on 'lo' and see what happens, which is what these >> warnings were all about. >> >> I am assuming the "all all" catch-all statement does something to that >> 'loopback' zone, which shorewall doesn't like, hence the warnings. I did >> not have these warnings before I explicitly defined the loopback zone (I >> had it as ipv4 before that). > > Still no joy: > > zones > ----- > fw firewall > net ipv4 > loc ipv4 > loop loopback > > interfaces > ---------- > > net eth0 \ > dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 > loc eth1 tcpflags,nosmurfs,routefilter,logmartians > loop lo > > teastep@gateway:~/shorewall/regressionLibrary/4.5.17$ shorewall check IFLOG/ > Checking... > Processing > /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/shorewall.conf... > Checking /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/zones... > Checking > /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/interfaces... > Determining Hosts in Zones... > Locating Action Files... > Checking /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/policy... > Adding Anti-smurf Rules > Adding rules for DHCP > Checking TCP Flags filtering... > Checking Kernel Route Filtering... > Checking Martian Logging... > Checking Accept Source Routing... > Checking /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/masq... > Checking MAC Filtration -- Phase 1... > Checking /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules... > Checking MAC Filtration -- Phase 2... > Applying Policies... > Checking /usr/share/shorewall/action.Reject for chain Reject... > Checking /usr/share/shorewall/action.Broadcast for chain Broadcast... > Checking /usr/share/shorewall/action.Drop for chain Drop... > Checking > /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/stoppedrules... > Shorewall configuration verified > teastep@gateway:~/shorewall/regressionLibrary/4.5.17$ >
I *can* reproduce it if I modify action.IFLOG as follows:
?IF $5
$5
?ENDIF
?IF $1
NFLOG($1,0,1)
?ENDIF
?IF $2
?SET @chain $3 ? $3 : " "
?SET @disposition $4 ? $4 : " "
LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)
?ENDIF
Here, the second line generates an unqualified 'DROP' rule so the
following rules are unreachable:
Checking /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules...
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
WARNING: The rule(s) generated by this entry are unreachable and have
been discarded
/home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/action.IFLOG
(line 10)
from /home/teastep/shorewall/regressionLibrary/4.5.17/IFLOG/rules
(line 19)
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
