[Shorewall-users] tcrules "|" and "&" marks

Fri, 18 Jul 2014 02:09:33 -0700 

I have shorewall 4.6.1.2 (Debian package version 4.6.1.2-1).

I am trying to set mark with "|" and "&" in the tcrules file, and 
it doesn't work.

The relevant lines in tcrules look ilke this:

# "OR" 0x40 into flags for packets to or from address 10.1.2.3,
# provided the connection mark is zero.
|0x40:P         10.1.2.3        0.0.0.0/0       -       { test=0:C }
|0x40:T         0.0.0.0/0       10.1.2.3        -       { test=0:C }

The relevant lines in the output from /sbin/shorewall trace safe-restart
look like this:

Compiling /etc/shorewall/tcrules...
IN===> |0x40:P          10.1.2.3        0.0.0.0/0       -       { test=0:C }
                NF-(A)-> mangle:tcpre:1         -A tcpre -s 10.1.2.3 -m 
connmark --mark 0/0xff  -j MARK --set-mark 0x40
IN===> |0x40:T          0.0.0.0/0       10.1.2.3        -       { test=0:C }
                NF-(A)-> mangle:tcpost:1        -A tcpost -d 10.1.2.3 -m 
connmark --mark 0/0xff  -j MARK --set-mark 0x40
   WARNING: Non-empty tcrules file (/etc/shorewall/tcrules); consider running 
'shorewall update -t' at /usr/share/shorewall/Shorewall/Tc.pm line 3191.
        Shorewall::Tc::setup_tc(0) called at 
/usr/share/shorewall/Shorewall/Compiler.pm line 796
        Shorewall::Compiler::compiler('script', '/var/lib/shorewall/.restart', 
'directory', '', 'verbosity', 1, 'timestamp', 0, 'debug', ...) called at 
/usr/share/shorewall/compiler.pl line 152

See it using "--set-mark" instead of "--or-mark".  Also, the 
message suggests that the tcrules file is deprecated, but the 
shorewall-tcrules man page does not appear to say it's deprecated.

I think this is a bug, and line 560 of Shorewall/Tc.pm look 
suspicious:

        handle_mark_param('--set-mark' , , HIGHMARK );

handle_mark_param seems to expect the first argument to be false 
in the case that AND and OR handling is desired.

--apb (Alan Barrett)

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to