[0:root@apinetstore2 network 130]$ grep INLINE_MATCHES /etc/shorewall/shorewall.conf INLINE_MATCHES=Yes
Yes, I am. It's the default. I set it to 'No' and 'shorewall start' now finishes. Is there a new syntax for the shortcuts? Bill On 1/22/2015 10:59 AM, Tom Eastep wrote: > On 1/22/2015 3:32 AM, Bill Shirley wrote: >> Well I spoke too soon. The patch got me past 'shorewall check' but now a >> 'shorewall start' gives: >> Jan 22 05:02:03 apinetstore2 shorewall: Preparing iptables-restore input... >> Jan 22 05:02:03 apinetstore2 shorewall: Running /sbin/iptables-restore ... >> Jan 22 05:02:03 apinetstore2 shorewall: Bad argument `state=NEW' >> Jan 22 05:02:03 apinetstore2 shorewall: Error occurred at line: 136 >> Jan 22 05:02:03 apinetstore2 shorewall: Try `iptables-restore -h' or >> 'iptables-restore --help' for more information. >> Jan 22 05:02:03 apinetstore2 shorewall: cat: write error: Broken pipe >> Jan 22 05:02:03 apinetstore2 shorewall: ERROR: iptables-restore Failed. >> Input is in >> /var/lib/shorewall/.iptables-restore-input >> Jan 22 05:02:03 apinetstore2 logger: ERROR:Shorewall start failed >> Just got my 3rd NIC installed so I can actually do a 'shorewall start'. >> >> The line (136) the kernel doesn't like is: >> -A tcfor -s 192.168.64.0/23 -d 10.0.0.0/8 ! -p 50 state=NEW >> test=0x3f00/0xff00 -j CONNMARK --save-mark --mask 0xff00 -m >> comment --comment "-vpn- decrypted" >> >> which is (2nd line) in mangle: >> ?COMMENT -vpn- decrypted >> SAVE($CONNMASK) $mem_net $FW !esp ; state=NEW >> test=$MEM_VPN1_FWMARK/$CONNMASK >> >> Looks like it's putting the rule in 'tcfor' instead of 'tcin'. >> >> Also, seems out of order because I have two rules before the mangle SAVE >> rule: >> MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp domain >> MARK($JUNK_MARK/$JUNK_MARK) 192.168.4.1 $FW tcp >> domain ; test=$SFN_VPN2_FWMARK/$CONNMASK >> that come after the erroring line (136) which are lines 146 & 147: >> -A tcin -s 192.168.4.1 -p 6 --dport 53 -j MARK --set-mark 0x400000/0x400000 >> -A tcin -s 192.168.4.1 -p 6 --dport 53 test=0x2c00/0xff00 -j MARK --set-mark >> 0x400000/0x400000 >> >> And it's choking on 'state=NEW'. >> >> Any help appreciated. > Bill, > > Are you setting INLINE_MATCHES in your shorewall.conf file? > > Thanks, > -Tom > > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > > > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
