On 1/18/2015 6:40 PM, Bill Shirley wrote: > I'm setting up a new server to be a backup of the production server. > > Production is running Fedora 19: shorewall-4.5.15-1.fc19.noarch > > New server is running Fedora 21: shorewall-4.6.5.3-1.fc21.noarch > > I've copied over my Shorewall configuration files and when I run 'shorewall > check' I get: > Checking /etc/shorewall/tcrules... > ERROR: SAVE rules are not allowed in the INPUT chain > /etc/shorewall/tcrules (line 198) > > The relevant rules are: > ?COMMENT -vpn- decrypted > SAVE/$CONNMASK $mem_net $FW !esp ; state=NEW > test=$MEM_VPN1_FWMARK/$CONNMASK > SAVE/$CONNMASK $mem_net $FW !esp ; state=NEW > test=$MEM_VPN2_FWMARK/$CONNMASK > SAVE/$CONNMASK $phx_net $FW !esp ; state=NEW > test=$PHX_VPN_FWMARK/$CONNMASK > SAVE/$CONNMASK $sfn_net $FW !esp ; state=NEW > test=$SFN_VPN1_FWMARK/$CONNMASK > SAVE/$CONNMASK $sfn_net $FW !esp ; state=NEW > test=$SFN_VPN2_FWMARK/$CONNMASK > > My question is: Why can't I do a SAVE in the INPUT chain? Am I doing > something stupid?
No -- I did. Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 5156ff8..352a22c 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -564,7 +564,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
RESTORE => {
defaultchain => 0,
- allowedchains => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+ allowedchains => PREROUTING | INPUT | FORWARD | OUTPUT |
POSTROUTING,
minparams => 0,
maxparams => 1,
function => sub () {
@@ -593,7 +593,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
SAVE => {
defaultchain => 0,
- allowedchains => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
+ allowedchains => PREROUTING | INPUT | FORWARD | OUTPUT |
POSTROUTING,
minparams => 0,
maxparams => 1,
function => sub () {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
