The problem is as follows:In the Shorewall/Rules.pm function setup_rfc1918_filteration is the following line:
#-- Begin code snippet --# add_rule $chainref , match_orig_dest( $network ) . "-j $target" ; #-- End code snippet --#The problem is, when CONNTRACK_MATCH isn't available, the Shorewall/Chains.pm function match_orig_dest() returns an empty string. This adds the following netfilter rule, causing ALL traffic from this interface to be handled as rfc1918 traffic and subsequently dropped.
#-- Begin code snippet --# -A norfc1918 -j rfc1918 #-- End code snippet --#I'm not submitting a patch because I'm not sure how you'd like to fix the problem. The simplest way is to put something like the following at the beginning of setup_rfc1918_filteration.
#-- Begin code snippet --#
if (! match_orig_dest('10.0.0.0/8')) {
## Produce Error Here - norfc1918 option requires conntrack
}
#-- End code snippet --#
debug.tar.bz2
Description: Binary data
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
