On 5/16/2014 2:10 AM, Simon Matter wrote: >> The Shorewall team is pleased to announce the availability of Shorewall >> 4.6.0. > > Hi Tom and all, > > Thanks for the new release! > > I found an issue I'm not sure how to solve, sorry for finding it only now > that the release is out. > > > I was having this in my tcrules file: > # > # fix udp checksums for dhclient on local KVM guests > # > CHECKSUM:T $FW 0.0.0.0/0 udp bootpc > > > I converted it using "shorewall update -t" and it gave me this in mangle: > CHECKSUM:T fw 0.0.0.0/0 udp bootpc > > > On restart I got > Checking /etc/shorewall/mangle... > ERROR: Rules with SOURCE $FW must use the OUTPUT chain > /etc/shorewall/mangle (line 33) > > > Now, I've just removed :T like so > CHECKSUM fw 0.0.0.0/0 udp bootpc > > > Now I get this: > Running /sbin/iptables-restore... > iptables-restore v1.4.7: CHECKSUM target: Parameter --checksum-fill is > required > Error occurred at line: 41 > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall/.iptables-restore-input > > > and line 41 is: > -A tcout -p 17 --dport 68 -j CHECKSUM > > The --checksum-fill is really missing somehow. > > Is my config wrong or is it a bug? >
Hi Simon, Using :T with SOURCE $FW is incorrect on your part (and Shorewalll should have flagged it all along), but the missing --checksum-fill is a bug. Patch is attached. Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 03720a0..5662ecb 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -338,7 +338,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
minparams => 0,
maxparams => 0 ,
function => sub() {
- $target = 'CHECKSUM';
+ $target = 'CHECKSUM --checksum-fill';
},
},
@@ -693,7 +693,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
( $cmd, $designator ) = split_action( $action );
if ( supplied $designator ) {
- fatal_error "Invalid chain designator ( $designator )" unless $designator = $designators{$designator};
+ my $temp = $designators{$designator};
+ fatal_error "Invalid chain designator ( $designator )" unless $temp;
+ $designator = $temp;
}
( $cmd , $params ) = get_target_param1( $cmd );
@@ -710,11 +712,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
if ( $source ne '-' ) {
if ( $source eq $fw ) {
- fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator ne OUTPUT;
+ fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
$chain = OUTPUT;
$source = '-';
} elsif ( $source =~ s/^($fw):// ) {
- fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator ne OUTPUT;
+ fatal_error 'Rules with SOURCE $FW must use the OUTPUT chain' if $designator && $designator != OUTPUT;
$chain = OUTPUT;
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
