I am testing Shorewall-perl-4.0.4 with Shorewall-lite-4.0.4 to replace my
large and very slow to start Shorewall-2.0.7 configuration. Compilation
succeeds marvelously quickly, but running "shorewall-lite start" gives a
failure of iptables-restore, on the final COMMIT line of
the .iptables-restore-input file.
I have attached the output of "shorewall-lite trace start", and on a hunch the
capabilities file, and I am sending the compiled firewall script to the
support address.
--
John K. Hohm
<[EMAIL PROTECTED]>
#
# Shorewall detected the following iptables/netfilter capabilities - Wed Oct
3 18:45:09 UTC 2007
#
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
MULTIPORT=Yes
XMULTIPORT=
CONNTRACK_MATCH=Yes
USEPKTTYPE=Yes
POLICY_MATCH=
PHYSDEV_MATCH=
LENGTH_MATCH=Yes
IPRANGE_MATCH=
RECENT_MATCH=
OWNER_MATCH=
IPSET_MATCH=
CONNMARK=
XCONNMARK=
CONNMARK_MATCH=
XCONNMARK_MATCH=
RAW_TABLE=
IPP2P_MATCH=
CLASSIFY_TARGET=
ENHANCED_REJECT=Yes
KLUDGEFREE=
MARK=Yes
XMARK=
MANGLE_FORWARD=Yes
COMMENTS=
ADDRTYPE=
TCPMSS_MATCH=Yes
HASHLIMIT_MATCH=
NFQUEUE_TARGET=
CAPVERSION=40003
+ shift
+ initialize
+ SHAREDIR=/usr/share/shorewall
+ CONFDIR=/etc/shorewall
+ PRODUCT=Shorewall
+ [ -f /etc/shorewall/vardir ]
+
CONFIG_PATH=/var/lib/shorewall/iris-2.4/:/usr/share/shorewall/configfiles/:/usr/share/shorewall/
+ [ -n /var/lib/shorewall ]
+ TEMPFILE=
+ DISABLE_IPV6=Yes
+ MODULESDIR=
+ MODULE_SUFFIX=
+ LOGFORMAT=Shorewall:%s:%s:
+ SUBSYSLOCK=/var/lock/subsys/shorewall
+ LOCKFILE=
+ LOGLIMIT=
+ LOGTAGONLY=
+ LOGRULENUMBERS=
+ [ -n restart ]
+ [ -n 2 ]
+ [ -n restore ]
+ [ -n Shorewall:%s:%s: ]
+ VERSION=4.0.4
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+ TERMINATOR=fatal_error
+ [ -z /sbin/iptables ]
+ [ -n /sbin/iptables -a -x /sbin/iptables ]
+ IPTABLES_RESTORE=/sbin/iptables-restore
+ [ -x /sbin/iptables-restore ]
+ STOPPING=
+ [ -d /var/lib/shorewall ]
+ qt /sbin/iptables -N foox1234
+ /sbin/iptables -N foox1234
+ qt /sbin/iptables -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ /sbin/iptables -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ result=0
+ qt /sbin/iptables -F foox1234
+ /sbin/iptables -F foox1234
+ qt /sbin/iptables -X foox1234
+ /sbin/iptables -X foox1234
+ [ 0 = 0 ]
+ finished=0
+ [ 0 -eq 0 -a 1 -gt 0 ]
+ option=start
+ finished=1
+ [ 1 -eq 0 -a 1 -gt 0 ]
+ [ 1 -ne 1 ]
+ COMMAND=start
+ [ -n Shorewall ]
+ shorewall_is_started
+ qt /sbin/iptables -L shorewall -n
+ /sbin/iptables -L shorewall -n
+ progress_message3 Starting Shorewall....
+ local timestamp=
+ [ 2 -ge 0 ]
+ [ -n ]
+ echo Starting Shorewall....
+ define_firewall
+ clear_routing_and_traffic_shaping
+ progress_message2 Initializing...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Initializing...
+ load_kernel_modules Yes
+ local save_modules_dir=
+ local directory
+ local moduledirectories=
+ local moduleloader=modprobe
+ local savemoduleinfo=Yes
+ qt mywhich modprobe
+ mywhich modprobe
+ moduleloader=insmod
+ [ -n o gz ko o.gz ko.gz ]
+ [ -z ]
+ uname -r
+ uname -r
+
MODULESDIR=/lib/modules/2.4.33/kernel/net/ipv4/netfilter:/lib/modules/2.4.33/kernel/net/netfilter
+ split
/lib/modules/2.4.33/kernel/net/ipv4/netfilter:/lib/modules/2.4.33/kernel/net/netfilter
+ local ifs=
+ IFS=:
+ echo /lib/modules/2.4.33/kernel/net/ipv4/netfilter
/lib/modules/2.4.33/kernel/net/netfilter
+ IFS=
+ [ -d /lib/modules/2.4.33/kernel/net/ipv4/netfilter ]
+ [ -d /lib/modules/2.4.33/kernel/net/netfilter ]
+ find_file modules
+ local saveifs= directory
+ split
/var/lib/shorewall/iris-2.4/:/usr/share/shorewall/configfiles/:/usr/share/shorewall/
+ local ifs=
+ IFS=:
+ echo /var/lib/shorewall/iris-2.4/ /usr/share/shorewall/configfiles/
/usr/share/shorewall/
+ IFS=
+ [ -f /var/lib/shorewall/iris-2.4//modules ]
+ [ -f /usr/share/shorewall/configfiles//modules ]
+ [ -f /usr/share/shorewall//modules ]
+ echo /etc/shorewall/modules
+ modules=/etc/shorewall/modules
+ [ -f /etc/shorewall/modules -a -n ]
+ [ Yes = Yes ]
+ [ -d /var/lib/shorewall ]
+
+
+ MODULESDIR=
+ [ start = refresh ]
+ run_init_exit
+ progress_message2 Processing /var/lib/shorewall/iris-2.4/init ...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Processing /var/lib/shorewall/iris-2.4/init ...
+ qt /sbin/iptables -L shorewall -n
+ /sbin/iptables -L shorewall -n
+ delete_proxyarp
+ [ -f /var/lib/shorewall/proxyarp ]
+ rm -f /var/lib/shorewall/proxyarp
+ [ -f /var/lib/shorewall/nat ]
+ delete_tc1
+ run_user_exit tcclear
+ find_file tcclear
+ local saveifs= directory
+ split
/var/lib/shorewall/iris-2.4/:/usr/share/shorewall/configfiles/:/usr/share/shorewall/
+ local ifs=
+ IFS=:
+ echo /var/lib/shorewall/iris-2.4/ /usr/share/shorewall/configfiles/
/usr/share/shorewall/
+ IFS=
+ [ -f /var/lib/shorewall/iris-2.4//tcclear ]
+ [ -f /usr/share/shorewall/configfiles//tcclear ]
+ [ -f /usr/share/shorewall//tcclear ]
+ echo /etc/shorewall/tcclear
+ local user_exit=/etc/shorewall/tcclear
+ [ -f /etc/shorewall/tcclear ]
+ run_ip link list
+ ip link list
+ read inx interface details
+ clear_one_tc lo
+ tc qdisc del dev lo root
+ tc qdisc del dev lo ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc dummy0
+ tc qdisc del dev dummy0 root
+ tc qdisc del dev dummy0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc eth0
+ tc qdisc del dev eth0 root
+ tc qdisc del dev eth0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc cir0
+ tc qdisc del dev cir0 root
+ tc qdisc del dev cir0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc c40
+ tc qdisc del dev c40 root
+ tc qdisc del dev c40 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc fv0
+ tc qdisc del dev fv0 root
+ tc qdisc del dev fv0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc ibl0
+ tc qdisc del dev ibl0 root
+ tc qdisc del dev ibl0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc swc0
+ tc qdisc del dev swc0 root
+ tc qdisc del dev swc0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc plu0
+ tc qdisc del dev plu0 root
+ tc qdisc del dev plu0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vraw0
+ tc qdisc del dev vraw0 root
+ tc qdisc del dev vraw0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc ipsec0
+ tc qdisc del dev ipsec0 root
+ tc qdisc del dev ipsec0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc ipsec1
+ tc qdisc del dev ipsec1 root
+ tc qdisc del dev ipsec1 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc ipsec2
+ tc qdisc del dev ipsec2 root
+ tc qdisc del dev ipsec2 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc ipsec3
+ tc qdisc del dev ipsec3 root
+ tc qdisc del dev ipsec3 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc bond0
+ tc qdisc del dev bond0 root
+ tc qdisc del dev bond0 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vlan3
+ tc qdisc del dev vlan3 root
+ tc qdisc del dev vlan3 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vlan4
+ tc qdisc del dev vlan4 root
+ tc qdisc del dev vlan4 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vlan6
+ tc qdisc del dev vlan6 root
+ tc qdisc del dev vlan6 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vlan7
+ tc qdisc del dev vlan7 root
+ tc qdisc del dev vlan7 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vlan8
+ tc qdisc del dev vlan8 root
+ tc qdisc del dev vlan8 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vlan9
+ tc qdisc del dev vlan9 root
+ tc qdisc del dev vlan9 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vlan10
+ tc qdisc del dev vlan10 root
+ tc qdisc del dev vlan10 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vlan12
+ tc qdisc del dev vlan12 root
+ tc qdisc del dev vlan12 ingress
+ read inx interface details
+ read inx interface details
+ clear_one_tc vlan13
+ tc qdisc del dev vlan13 root
+ tc qdisc del dev vlan13 ingress
+ read inx interface details
+ read inx interface details
+ disable_ipv6
+ ip -f inet6 addr list
+ local foo=
+ [ -n ]
+ find_first_interface_address cir0
+ ip -f inet addr show cir0
+ grep inet .* global
+ head -n1
+ addr= inet 69.209.46.193/30 scope global cir0
+ [ -n inet 69.209.46.193/30 scope global cir0 ]
+ echo inet 69.209.46.193/30 scope global cir0
+ sed s/\s*inet //;s/\/.*//;s/ peer.*//
+ CIR0_ADDRESS=69.209.46.193
+ [ start != restore ]
+ get_all_bcasts
+ ip -f inet addr show
+ grep inet.*brd
+ sed s/inet.*brd //; s/scope.*//;
+ sort -u
+ ALL_BCASTS= 10.0.2.255 255.255.255.255
+ setup_routing_and_traffic_shaping
+ progress_message2 Setting up ARP filtering...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Setting up ARP filtering...
+ progress_message2 Setting up Route Filtering...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Setting up Route Filtering...
+ [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/c40/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/cir0/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/default/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/eth0/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/fv0/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/ibl0/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/lo/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/plu0/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/swc0/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan10/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan12/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan13/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan3/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan4/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan6/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan7/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan8/rp_filter ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan9/rp_filter ]
+ echo 1
+ echo 1
+ echo 1
+ [ -n ]
+ ip route flush cache
+ progress_message2 Setting up Martian Logging...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Setting up Martian Logging...
+ [ -f /proc/sys/net/ipv4/conf/all/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/c40/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/cir0/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/default/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/eth0/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/fv0/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/ibl0/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/lo/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/plu0/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/swc0/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan10/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan12/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan13/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan3/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan4/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan6/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan7/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan8/log_martians ]
+ echo 1
+ [ -f /proc/sys/net/ipv4/conf/vlan9/log_martians ]
+ echo 1
+ echo 1
+ echo 1
+ progress_message2 Setting up Accept Source Routing...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Setting up Accept Source Routing...
+ echo 1
+ progress_message2 IP Forwarding Enabled
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo IP Forwarding Enabled
+ progress_message2 Setting up Proxy ARP...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Setting up Proxy ARP...
+ [ -z ]
+ undo_routing
+ [ -z ]
+ [ -f /var/lib/shorewall/rt_tables ]
+ [ -f /var/lib/shorewall/undo_routing ]
+ cp /etc/iproute2/rt_tables /var/lib/shorewall/
+ [ -f /var/lib/shorewall/default_route ]
+ ip route list
+ grep -E ^\s*(default |nexthop )
+
+ progress_message2 Adding Providers...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Adding Providers...
+ DEFAULT_ROUTE=
+ interface_is_usable cir0
+ interface_is_up cir0
+ ip link list dev cir0
+ grep -e [<,]UP[,>]
+ [ -n 4: cir0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 ]
+ find_first_interface_address_if_any cir0
+ ip -f inet addr show cir0
+ head -n1
+ grep inet .* global
+ addr= inet 69.209.46.193/30 scope global cir0
+ [ -n inet 69.209.46.193/30 scope global cir0 ]
+ echo inet 69.209.46.193/30 scope global cir0
+ sed s/\s*inet //;s/\/.*//;s/ peer.*//
+ [ 69.209.46.193 != 0.0.0.0 ]
+ run_isusable_exit cir0
+ true
+ qt ip route flush table 1
+ ip route flush table 1
+ echo qt ip route flush table 1
+ run_ip route replace 69.209.46.194 src 69.209.46.193 dev cir0 table 1
+ ip route replace 69.209.46.194 src 69.209.46.193 dev cir0 table 1
+ run_ip route add default via 69.209.46.194 dev cir0 table 1
+ ip route add default via 69.209.46.194 dev cir0 table 1
+ qt ip rule del fwmark 1
+ ip rule del fwmark 1
+ run_ip rule add fwmark 1 pref 10000 table 1
+ ip rule add fwmark 1 pref 10000 table 1
+ echo qt ip rule del fwmark 1
+ rulenum=0
+ find_interface_addresses cir0
+ read address
+ ip -f inet addr show cir0
+ grep inet
+ sed s/\s*inet //;s/\/.*//;s/ peer.*//
+ qt ip rule del from 69.209.46.193
+ ip rule del from 69.209.46.193
+ run_ip rule add from 69.209.46.193 pref 20000 table 1
+ ip rule add from 69.209.46.193 pref 20000 table 1
+ echo qt ip rule del from 69.209.46.193
+ rulenum=1
+ read address
+ progress_message Provider circe (1) Added
+ local timestamp=
+ [ 2 -gt 1 ]
+ [ -n ]
+ echo Provider circe (1) Added
+ restore_default_route
+ [ -z -a -f /var/lib/shorewall/default_route ]
+ local default_route= route
+ read route
+ [ -n ]
+ default_route= default via 10.0.2.2 dev eth0
+ read route
+ rm -f /var/lib/shorewall/default_route
+ [ -w /etc/iproute2/rt_tables ]
+ cat
+ find_echo
+ local result
+ echo a\tb
+ result=a\tb
+ [ 4 -eq 3 ]
+ echo -e a\tb
+ result=a b
+ [ 3 -eq 3 ]
+ echo echo -e
+ return
+ echocommand=echo -e
+ echo -e 1\tcirce
+ run_ip route flush cache
+ ip route flush cache
+ progress_message2 Setting up Traffic Control...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Setting up Traffic Control...
+ cat
+ [ start != refresh ]
+ cat
+ cat
+
+ [ start = restore ]
+ [ start = refresh ]
+ setup_netfilter
+ progress_message2 Preparing iptables-restore input...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Preparing iptables-restore input...
+ exec
+ cat
+ echo -A dropBcast -d 10.0.2.255 -j DROP
+ echo -A dropBcast -d 255.255.255.255 -j DROP
+ cat
+ echo -A reject -d 10.0.2.255 -j DROP
+ echo -A reject -d 255.255.255.255 -j DROP
+ cat
+ echo -A smurfs -s 10.0.2.255 -j LOG --log-level 6 --log-prefix
"Shorewall:smurfs:DROP:"
+ echo -A smurfs -s 10.0.2.255 -j DROP
+ echo -A smurfs -s 255.255.255.255 -j LOG --log-level 6 --log-prefix
"Shorewall:smurfs:DROP:"
+ echo -A smurfs -s 255.255.255.255 -j DROP
+ cat
+ exec
+ progress_message2 Running iptables-restore...
+ local timestamp=
+ [ 2 -gt 0 ]
+ [ -n ]
+ echo Running iptables-restore...
+ cat /var/lib/shorewall/.iptables-restore-input
+ /sbin/iptables-restore
iptables-restore: line 9878 failed
+ [ 1 != 0 ]
+ fatal_error iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
+ echo ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
+ stop_firewall
+ set +x
Terminated
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
