On 6/19/2014 11:12 PM, Troy Telford wrote: > I'm running the Debian (sid) package of Shorewall 4.6.1; kernel 3.14 (debian > package) > > When I upgraded to Shorewall 4.6.1, I have found that setting > `INLINE_MATCHES=yes` in shorewall.conf will cause the following error with > `shorewall start` > > Running /sbin/iptables-restore... > Bad argument `helper=netbios-ns' > Error occurred at line: 228 > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > ERROR: iptables-restore Failed. Input is in > /var/lib/shorewall/.iptables-restore-input > > `shorewall check -i` doesn't show any warnings > > Setting `INLINE_MATCHES=no` allows shorewall to start successfully, so I have > a workaround. > > If I read the documentation correctly, semicolons in rules can be a cause of > the problem, however I don't have any rules with semicolons. (I do have > SSHKnock set up as documented in http://shorewall.net/PortKnocking.html. That > does include semicolons, but disabling SSHKnock didn't seem to have a > positive effect. > > Attached are the output(s) of `shorewall trace` and > /var/lib/shorewall/.start, which includes the contents of > /var/lib/shorewall/.iptables-restore-input > > I have a feeling I'm missing something relatively simple, but I can't figure > out what...
No -- *I* missed something; patch attached:
cd /usr/share/shorewall
patch < .../INLINE.patch
Thanks!
-Tom
PS -- note that setting AUTOHELPERS=Yes also works around the problem.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Macros/macro.Amanda b/Shorewall/Macros/macro.Amanda
index f9cf8a7..b8d2aa3 100644
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -14,7 +14,7 @@
# PORT(S) PORT(S) DEST LIMIT GROUP
?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM - - udp 10080 ; helper=amanda
+ PARAM - - udp 10080 { helper=amanda }
?else
PARAM - - udp 10080
?endif
diff --git a/Shorewall/Macros/macro.FTP b/Shorewall/Macros/macro.FTP
index ca1edd7..7133179 100644
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -11,7 +11,7 @@
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGIN RATE USER/
# PORT(S) PORT(S) DEST LIMIT GROUP
?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER )
- PARAM - - tcp 21 ; helper=ftp
+ PARAM - - tcp 21 { helper=ftp }
?else
PARAM - - tcp 21
?endif
diff --git a/Shorewall/Macros/macro.IRC b/Shorewall/Macros/macro.IRC
index baf5e4f..f8faf92 100644
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -12,7 +12,7 @@
# PORT(S) PORT(S) DEST LIMIT GROUP
?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER )
- PARAM - - tcp 6667 ; helper=irc
+ PARAM - - tcp 6667 { helper=irc }
?else
PARAM - - tcp 6667
?endif
diff --git a/Shorewall/Macros/macro.PPtP b/Shorewall/Macros/macro.PPtP
index f932c46..cf95bcb 100644
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -14,7 +14,7 @@ PARAM - - 47
PARAM DEST SOURCE 47
?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM - - tcp 1723 ; helper=pptp
+ PARAM - - tcp 1723 { helper=pptp }
?else
PARAM - - tcp 1723
?endif
diff --git a/Shorewall/Macros/macro.SANE b/Shorewall/Macros/macro.SANE
index 6862b31..d190c4b 100644
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -12,7 +12,7 @@
# PORT(S) PORT(S) DEST LIMIT GROUP
?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM - - tcp 6566 ; helper=sane
+ PARAM - - tcp 6566 { helper=sane }
?else
PARAM - - tcp 6566
?endif
diff --git a/Shorewall/Macros/macro.SIP b/Shorewall/Macros/macro.SIP
index 7d87b2c..9a8c565 100644
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -12,7 +12,7 @@
# PORT(S) PORT(S) DEST LIMIT GROUP
?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER )
- PARAM - - udp 5060 ; helper=sip
+ PARAM - - udp 5060 { helper=sip }
?else
PARAM - - udp 5060
?endif
diff --git a/Shorewall/Macros/macro.SMB b/Shorewall/Macros/macro.SMB
index a6aa000..c33f401 100644
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -17,7 +17,7 @@
PARAM - - udp 135,445
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM - - udp 137 ; helper=netbios-ns
+ PARAM - - udp 137 { helper=netbios-ns }
PARAM - - udp 138:139
?else
PARAM - - udp 137:139
diff --git a/Shorewall/Macros/macro.SMBBI b/Shorewall/Macros/macro.SMBBI
index ffb6bfa..645732b 100644
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -17,7 +17,7 @@
PARAM - - udp 135,445
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM - - udp 137 ; helper=netbios-ns
+ PARAM - - udp 137 { helper=netbios-ns }
PARAM - - udp 138:139
?else
PARAM - - udp 137:139
@@ -28,7 +28,7 @@ PARAM - - tcp 135,139,445
PARAM DEST SOURCE udp 135,445
?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM DEST SOURCE udp 137 ; helper=netbios-ns
+ PARAM DEST SOURCE udp 137 { helper=netbios-ns }
PARAM DEST SOURCE udp 138:139
?else
PARAM DEST SOURCE udp 137:139
diff --git a/Shorewall/Macros/macro.SNMP b/Shorewall/Macros/macro.SNMP
index 6e1e7fd..64a811b 100644
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -14,7 +14,7 @@
# PORT(S) PORT(S) DEST LIMIT GROUP
?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM - - udp 161 ; helper=snmp
+ PARAM - - udp 161 { helper=snmp }
?else
PARAM - - udp 161
?endif
diff --git a/Shorewall/Macros/macro.TFTP b/Shorewall/Macros/macro.TFTP
index 723f9dc..e65b282 100644
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -14,7 +14,7 @@
# PORT(S) PORT(S) DEST LIMIT GROUP
?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM - - udp 69 ; helper=tftp
+ PARAM - - udp 69 { helper=tftp }
?else
PARAM - - udp 69
?endif
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
