So I commented out the SAVE($CONNMASK) lines in mangle and now it's dieing on line 137: 136: -A tcin -s 192.168.4.1 -p 6 --dport 53 -j MARK --set-mark 0x400000/0x400000 137: -A tcin -s 192.168.4.1 -p 6 --dport 53 test=0x2c00/0xff00 -j MARK --set-mark 0x400000/0x400000
which equates to: 136: MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp domain 137: MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp domain ; test=$SFN_VPN2_FWMARK/$CONNMASK Note that it's failing on the line with the test= in it. The same two rules on shorewall-4.5.15-1.fc19.noarch (Fedora 19/tcrules and works) generate: -A tcin -p 6 --dport 53 -s 192.168.4.1 -j MARK --set-mark 0x400000/0x400000 -A tcin -p 6 --dport 53 -s 192.168.4.1 -m mark --mark 0x2c00/0xff00 -j MARK --set-mark 0x400000/0x400000 Bill On 1/22/2015 6:32 AM, Bill Shirley wrote: > Well I spoke too soon. The patch got me past 'shorewall check' but now a > 'shorewall start' gives: > Jan 22 05:02:03 apinetstore2 shorewall: Preparing iptables-restore input... > Jan 22 05:02:03 apinetstore2 shorewall: Running /sbin/iptables-restore ... > Jan 22 05:02:03 apinetstore2 shorewall: Bad argument `state=NEW' > Jan 22 05:02:03 apinetstore2 shorewall: Error occurred at line: 136 > Jan 22 05:02:03 apinetstore2 shorewall: Try `iptables-restore -h' or > 'iptables-restore --help' for more information. > Jan 22 05:02:03 apinetstore2 shorewall: cat: write error: Broken pipe > Jan 22 05:02:03 apinetstore2 shorewall: ERROR: iptables-restore Failed. Input > is in > /var/lib/shorewall/.iptables-restore-input > Jan 22 05:02:03 apinetstore2 logger: ERROR:Shorewall start failed > Just got my 3rd NIC installed so I can actually do a 'shorewall start'. > > The line (136) the kernel doesn't like is: > -A tcfor -s 192.168.64.0/23 -d 10.0.0.0/8 ! -p 50 state=NEW > test=0x3f00/0xff00 -j CONNMARK --save-mark --mask 0xff00 -m > comment --comment "-vpn- decrypted" > > which is (2nd line) in mangle: > ?COMMENT -vpn- decrypted > SAVE($CONNMASK) $mem_net $FW !esp ; state=NEW > test=$MEM_VPN1_FWMARK/$CONNMASK > > Looks like it's putting the rule in 'tcfor' instead of 'tcin'. > > Also, seems out of order because I have two rules before the mangle SAVE rule: > MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp domain > MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp > domain ; test=$SFN_VPN2_FWMARK/$CONNMASK > that come after the erroring line (136) which are lines 146 & 147: > -A tcin -s 192.168.4.1 -p 6 --dport 53 -j MARK --set-mark 0x400000/0x400000 > -A tcin -s 192.168.4.1 -p 6 --dport 53 test=0x2c00/0xff00 -j MARK --set-mark > 0x400000/0x400000 > > And it's choking on 'state=NEW'. > > Any help appreciated. > > Bill Shirley > > On 1/20/2015 9:32 AM, Bill Shirley wrote: >> That fixes it. >> >> Thanks for all your hard work. >> >> Bill >> >> On 1/19/2015 11:51 AM, Tom Eastep wrote: >>> On 1/18/2015 6:40 PM, Bill Shirley wrote: >>>> I'm setting up a new server to be a backup of the production server. >>>> >>>> Production is running Fedora 19: shorewall-4.5.15-1.fc19.noarch >>>> >>>> New server is running Fedora 21: shorewall-4.6.5.3-1.fc21.noarch >>>> >>>> I've copied over my Shorewall configuration files and when I run >>>> 'shorewall check' I get: >>>> Checking /etc/shorewall/tcrules... >>>> ERROR: SAVE rules are not allowed in the INPUT chain >>>> /etc/shorewall/tcrules (line 198) >>>> >>>> The relevant rules are: >>>> ?COMMENT -vpn- decrypted >>>> SAVE/$CONNMASK $mem_net $FW !esp ; state=NEW >>>> test=$MEM_VPN1_FWMARK/$CONNMASK >>>> SAVE/$CONNMASK $mem_net $FW !esp ; state=NEW >>>> test=$MEM_VPN2_FWMARK/$CONNMASK >>>> SAVE/$CONNMASK $phx_net $FW !esp ; state=NEW >>>> test=$PHX_VPN_FWMARK/$CONNMASK >>>> SAVE/$CONNMASK $sfn_net $FW !esp ; state=NEW >>>> test=$SFN_VPN1_FWMARK/$CONNMASK >>>> SAVE/$CONNMASK $sfn_net $FW !esp ; state=NEW >>>> test=$SFN_VPN2_FWMARK/$CONNMASK >>>> >>>> My question is: Why can't I do a SAVE in the INPUT chain? Am I doing >>>> something stupid? >>> No -- I did. Patch attached. >>> >>> -Tom >>> >>> >>> ------------------------------------------------------------------------------ >>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA. >>> GigeNET is offering a free month of service with a new server in Ashburn. >>> Choose from 2 high performing configs, both with 100TB of bandwidth. >>> Higher redundancy.Lower latency.Increased capacity.Completely compliant. >>> http://p.sf.net/sfu/gigenet >>> >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> ------------------------------------------------------------------------------ >> New Year. New Location. New Benefits. New Data Center in Ashburn, VA. >> GigeNET is offering a free month of service with a new server in Ashburn. >> Choose from 2 high performing configs, both with 100TB of bandwidth. >> Higher redundancy.Lower latency.Increased capacity.Completely compliant. >> http://p.sf.net/sfu/gigenet >> _______________________________________________ >> Shorewall-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
