On 1/22/2015 3:32 AM, Bill Shirley wrote: > Well I spoke too soon. The patch got me past 'shorewall check' but now a > 'shorewall start' gives: > Jan 22 05:02:03 apinetstore2 shorewall: Preparing iptables-restore input... > Jan 22 05:02:03 apinetstore2 shorewall: Running /sbin/iptables-restore ... > Jan 22 05:02:03 apinetstore2 shorewall: Bad argument `state=NEW' > Jan 22 05:02:03 apinetstore2 shorewall: Error occurred at line: 136 > Jan 22 05:02:03 apinetstore2 shorewall: Try `iptables-restore -h' or > 'iptables-restore --help' for more information. > Jan 22 05:02:03 apinetstore2 shorewall: cat: write error: Broken pipe > Jan 22 05:02:03 apinetstore2 shorewall: ERROR: iptables-restore Failed. Input > is in > /var/lib/shorewall/.iptables-restore-input > Jan 22 05:02:03 apinetstore2 logger: ERROR:Shorewall start failed > Just got my 3rd NIC installed so I can actually do a 'shorewall start'. > > The line (136) the kernel doesn't like is: > -A tcfor -s 192.168.64.0/23 -d 10.0.0.0/8 ! -p 50 state=NEW > test=0x3f00/0xff00 -j CONNMARK --save-mark --mask 0xff00 -m > comment --comment "-vpn- decrypted" > > which is (2nd line) in mangle: > ?COMMENT -vpn- decrypted > SAVE($CONNMASK) $mem_net $FW !esp ; state=NEW > test=$MEM_VPN1_FWMARK/$CONNMASK > > Looks like it's putting the rule in 'tcfor' instead of 'tcin'. > > Also, seems out of order because I have two rules before the mangle SAVE rule: > MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp domain > MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp > domain ; test=$SFN_VPN2_FWMARK/$CONNMASK > that come after the erroring line (136) which are lines 146 & 147: > -A tcin -s 192.168.4.1 -p 6 --dport 53 -j MARK --set-mark 0x400000/0x400000 > -A tcin -s 192.168.4.1 -p 6 --dport 53 test=0x2c00/0xff00 -j MARK --set-mark > 0x400000/0x400000 > > And it's choking on 'state=NEW'. > > Any help appreciated.
Bill, Are you setting INLINE_MATCHES in your shorewall.conf file? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
