Patrick McNeil wrote: > > I am running SuSE Linux 10.0 on an i586: > >> cat /etc/SuSE-release > SUSE LINUX 10.0 (i586) > VERSION = 10.0 > > The installation is pretty well out-of-the-box, meaning i have only > installed patches from SuSE, have not recompiled the kernel, etc. > > I upgraded to 4.0 this morning using rpm's (installed common and both > compilers), redid the configuration files (.rpmnew) and everything went > fine until i did a 'shorewall check' to verify the configuration before > restarting. The machine froze, for the most part (only the mouse > pointer and, strangely, the kde volume control worked). I had no > response otherwise and had to power off the machine to get any control. > I had the same result with both compilers. > > Since the other question was about modules and Tom had a suggestion on > that one, i took an old /usr/share/shorewall/modules, copied in into > /etc/shorewall and i could once again at least try to start shorewall.
I didn't completely follow that; you are saying that the machine froze
unconditionally when you used the 4.0.0 modules file (which hasn't changed
since 3.4.2) but did not experience this problem when using some other
modules file?
> I can offer very little information about that problem as the machine
> locks up - any attempt to generate a trace file fails. The last line
> printed on the screen from 'shorewall debug check' was "Loading
> modules...". That was also the last line of a debug print from
> /usr/share/shorewall/lib.base.
I can offer little advice either. Shell scripts, even those that invoke
modprobe should not be capable of freezing the system.
>
> I have another 'shorewall start' problem that i believe i have seen
> before but i do not seem to remember seeing a solution: there is an
> error in a line in the /var/lib/shorewall/.iptables-restore-input file:
>
> iptables-restore v1.3.3: addrtype: bad type `BROADCAST-j'
> Error occurred at line: 80
> Try `iptables-restore -h' or 'iptables-restore --help' for more
> information.
> ERROR: iptables-restore Failed. Input is in
> /var/lib/shorewall/.iptables-restore-input
> /sbin/shorewall: line 375: 11947 Terminated
> ${VARDIR}/.start $debugging start
>
> The problem is that there is a space missing between "BROADCAST" and
> "-j", but there are other lines which are correct (ie: "BROADCAST -j").
>
Attached is a patch that should correct the problem.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Index: Shorewall/Rules.pm
===================================================================
--- Shorewall/Rules.pm (revision 6941)
+++ Shorewall/Rules.pm (working copy)
@@ -196,12 +196,8 @@
for my $interface ( @interfaces ) {
my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
- if ( $capabilities{MANGLE_FORWARD} ) {
- add_rule $mangle_table->{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
- } else {
- add_rule $mangle_table->{PREROUTING}, "-p tcp -o $interface -j $chainref->{name}";
- add_rule $mangle_table->{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
- }
+ add_rule $mangle_table->{PREROUTING}, "-p tcp -o $interface -j $chainref->{name}";
+ add_rule $mangle_table->{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
}
for my $host ( @hosts ) {
Index: Shorewall/Actions.pm
===================================================================
--- Shorewall/Actions.pm (revision 6941)
+++ Shorewall/Actions.pm (working copy)
@@ -657,8 +657,8 @@
my ($chainref, $level, $tag) = @_;
if ( $level ) {
- log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
- log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4';
+ log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+ log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
}
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -669,8 +669,8 @@
my ($chainref, $level, $tag) = @_;
if ( $level ) {
- log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
- log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4';
+ log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+ log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
}
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
@@ -769,6 +769,8 @@
$level = '' unless defined $level;
$tag = '' unless defined $tag;
+ $level =~ s/!$//;
+
if ( $targets{$action} & BUILTIN ) {
$level = '' if $level =~ /none!?/;
$builtinops{$action}->($chainref, $level, $tag);
Index: patch-perl-4.0.0-3.diff
===================================================================
--- patch-perl-4.0.0-3.diff (revision 0)
+++ patch-perl-4.0.0-3.diff (revision 0)
@@ -0,0 +1,19 @@
+Index: Shorewall/Rules.pm
+===================================================================
+--- Shorewall/Rules.pm (revision 6941)
++++ Shorewall/Rules.pm (working copy)
+@@ -196,12 +196,8 @@
+ for my $interface ( @interfaces ) {
+ my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
+
+- if ( $capabilities{MANGLE_FORWARD} ) {
+- add_rule $mangle_table->{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
+- } else {
+- add_rule $mangle_table->{PREROUTING}, "-p tcp -o $interface -j $chainref->{name}";
+- add_rule $mangle_table->{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
+- }
++ add_rule $mangle_table->{PREROUTING}, "-p tcp -o $interface -j $chainref->{name}";
++ add_rule $mangle_table->{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
+ }
+
+ for my $host ( @hosts ) {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
