Re: [Shorewall-users] DROP rule creates double table entry

Thu, 12 Aug 2010 15:47:44 -0700 

> On 8/12/10 6:59 AM, Tom Eastep wrote:
> > On 8/11/10 8:48 PM, Hellmut Tümmler wrote:
> >> Hello everybody,
> >> 
> >>  maybe i am staring for too long into this terminal and start to see
> >>  double
> >> 
> >> contours.
> >> Using shorewall-4.4.10 on my gentoo box with following entry in rules
> >> (among others, tell me if you need a dump). It's located below SECTION
> >> NEW:
> >> 
> >> #ACTION      SRC                                     DEST
> >> DROP         net:82.96.96.3,85.190.0.3       any
> >> 
> >> According to 'shorewall show net2fw' the rule is generated twice. This
> >> cannot be right can it? It doesn't happen when DEST is set to all.
> 
> It does -- in the fw2net chain.
> 
> >> ...
> >> 
> >>     0     0 DROP       all  --  *      *       82.96.96.3          
> >>     0.0.0.0/0 0     0 DROP       all  --  *      *       85.190.0.3    
> >>           0.0.0.0/0 0     0 DROP       all  --  *      *      
> >>     82.96.96.3           0.0.0.0/0 0     0 DROP       all  --  *      *
> >>           85.190.0.3           0.0.0.0/0
> >> 
> >> ...
> > 
> > I have reproduced the problem.
> 
> And attached is a patch:
>         patch /usr/share/shorewall/Shorewall/Zones.pm < anybug.diff
> 
> The patch will apply with an offset (-13 lines with 4.4.10 - I actually
> tested it against 4.4.10.3). It will apply cleanly to 4.4.11 through
> 4.4.11.2.
> 
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________

Hey Tom,
thanks a lot for the patch. Meanwhile I have updated to 4.4.11.2 which showed 
the same problem, but the patch did kill that bug for me.

While I'm at it, neither 'shorewall status" nor 'shorewall show config' reflect 
which shorewall.conf the currently loaded configuration was compiled from.
Something tells me I'm opening pandora's box with that 'simple' wish.
I use to put COMMENT rules within the rules file for the purpose, which is a 
bit hackish, but doesn't waste much engineering time either ;)

cheers,
Hellmut



------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to