Niedermeier Günter wrote: > Hi Tom, > > the tracefile is too big, to append it in the mailinglist. > > So I send it directly to you. > > Shorewall was called with "shorewall trace restart -C shell" > Using "shorewall trace restart -C perl" works fine > > I also have my config dir attached. >
I had just succeeded in reproducing the problem when your post arrived. Attached please find a patch for /usr/share/shorewall-shell/compiler. It works for me in my test cases but please verify it in your case. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
--- /home/teastep/shorewall/tags/4.0.2/Shorewall-shell/compiler 2007-08-10 07:22:25.000000000 -0700
+++ compiler 2007-08-13 10:14:11.000000000 -0700
@@ -1873,10 +1873,11 @@
if [ -n "$serv" ]; then
for serv1 in $(separate_list $serv); do
for srv in $(firewall_ip_range $serv1); do
+ srv=$(dest_ip_range $srv)
if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
if [ "$addr" = detect ]; then
indent >&3 << __EOF__
- run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user $mrk -j $target
+ run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $srv $dports -m conntrack --ctorigdst \$adr $user $mrk -j $target
done
__EOF__
@@ -1884,11 +1885,13 @@
for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
- $user $mrk $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports) $state
+ $user $mrk $(fix_bang $proto $multiport $sports $cli $srv $dports) $state
fi
- run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
- $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user $mrk -j $target
+ if [ "$logtarget" != LOG ]; then
+ run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \
+ $srv $dports -m conntrack --ctorigdst $adr $user $mrk -j $target
+ fi
done
fi
else
@@ -1899,17 +1902,17 @@
if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \
- $state $(fix_bang $proto $multiport $sports $cli $(dest_ip_range $srv) $dports)
+ $state $(fix_bang $proto $multiport $sports $cli $srv $dports)
fi
if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \
- $cli $sports $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j RETURN
+ $cli $sports $srv $dports $ratelimit $user $mrk -j RETURN
fi
- if [ "$logtarget" != NONAT ]; then
+ if [ "$logtarget" != NONAT -a "$logtarget" != LOG ]; then
run_iptables2 -A $chain $state $proto $multiport $cli $sports \
- $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j $target
+ $srv $dports $ratelimit $user $mrk -j $target
fi
fi
done
@@ -1929,9 +1932,9 @@
addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $user $mrk -j RETURN
- [ "$logtarget" != NONAT ] && \
- run_iptables2 -A $chain $state $proto $multiport $cli $sports \
- $dports $ratelimit $user $mrk -j $target
+ [ "$logtarget" != NONAT -a "$logtarget" != LOG ] && \
+ run_iptables2 -A $chain $state $proto $multiport $cli $sports \
+ $dports $ratelimit $user $mrk -j $target
fi
elif [ -n "$serv" -a "$addr" = detect ]; then
save_command 'done'
@@ -1983,6 +1986,15 @@
fi
fi
fi
+
+ if [ "$logtarget" = LOG -a -z "$KLUDGEFREE" ]; then
+ #
+ # Purge the temporary files that we use to prevent duplicate '-m' specifications
+ #
+ [ -n "$PHYSDEV_MATCH" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
+ [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
+ fi
+
}
#
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
