On Wed, 2015-08-19 at 11:08 -0700, Tom Eastep wrote: > Right -- and it isn't there when I compile this configuration: > > shorewall trace -vvv check -r . | less > export COLORTERM='mate-terminal' > export > DBUS_SESSION_BUS_ADDRESS='unix:abstract=/tmp/dbus > -GKT6hkgxs4,guid=7902f8877609f53d5719269b55d4b427' > export DESKTOP_SESSION='mate' > export DISPLAY=':0.0' > export DOGFOOD='loc:10.75.22.6' > export DSLIF='wan1' > ... > Checking /home/teastep/shorewall/support/Brian/mangle... > IN===> MARK(0x400):P br-lan:!10.75.22.3,10.75.22.247 0.0.0.0/0 > tcp 80 > NF-(N)-> mangle:~excl0 > NF-(!O4)-> mangle:~excl0 > NF-(A)-> mangle:tcpre:1 -A tcpre -p 6 --dport > 80 > -i br-lan -j ~excl0 > NF-(A)-> mangle:~excl0:1 -A ~excl0 -s > 10.75.22.3 > -j RETURN > NF-(A)-> mangle:~excl0:2 -A ~excl0 -s > 10.75.22.247 -j RETURN > NF-(A)-> mangle:~excl0:3 -A ~excl0 -j MARK > --set-mark 0x400 > Mangle Rule "MARK(0x400):P br-lan:!10.75.22.3,10.75.22.247 > 0.0.0.0/0 > tcp 80" 0 > IN===> MARK(0x400):P br-guest:!10.75.22.3,10.75.22.247 0.0.0.0/0 > tcp 80 > NF-(N)-> mangle:~excl1 > NF-(!O4)-> mangle:~excl1 > NF-(A)-> mangle:tcpre:2 -A tcpre -p 6 --dport > 80 > -i br-guest -j ~excl1 > NF-(A)-> mangle:~excl1:1 -A ~excl1 -s > 10.75.22.3 > -j RETURN > NF-(A)-> mangle:~excl1:2 -A ~excl1 -s > 10.75.22.247 -j RETURN > NF-(A)-> mangle:~excl1:3 -A ~excl1 -j MARK > --set-mark 0x400 > Mangle Rule "MARK(0x400):P br-guest:!10.75.22.3,10.75.22.247 > 0.0.0.0/0 tcp 80" 0 > ... > :tcpre - [0:0] > :~excl0 - [0:0] > :~excl1 - [0:0] > -A PREROUTING -j CONNMARK --restore-mark --mask 0xff00 > -A PREROUTING -i wan0 -m mark --mark 0/0xff00 -j routemark > -A PREROUTING -i wan1 -m mark --mark 0/0xff00 -j routemark > -A PREROUTING -m mark --mark 0/0xff00 -j tcpre > -A INPUT -j tcin > -A FORWARD -j MARK --set-mark 0/0xff00 > -A FORWARD -j tcfor > -A OUTPUT -j CONNMARK --restore-mark --mask 0xff00 > -A OUTPUT -m mark --mark 0/0xff00 -j tcout > -A POSTROUTING -j tcpost > -A routemark -i wan0 -j MARK --set-mark 0x100/0xff00 > -A routemark -i wan1 -j MARK --set-mark 0x200/0xff00 > -A routemark -m mark ! --mark 0/0xff00 -j CONNMARK --save-mark --mask > 0xff00 > -A tcpre -p 6 --dport 80 -i br-lan -j ~excl0 > -A tcpre -p 6 --dport 80 -i br-guest -j ~excl1 > -A ~excl0 -s 10.75.22.3 -j RETURN > -A ~excl0 -s 10.75.22.247 -j RETURN > -A ~excl0 -j MARK --set-mark 0x400 > -A ~excl1 -s 10.75.22.3 -j RETURN > -A ~excl1 -s 10.75.22.247 -j RETURN > -A ~excl1 -j MARK --set-mark 0x400 > COMMIT
It is here when I do the same thing:
Checking /etc/shorewall/gw-BB/mangle...
IN===> MARK(0x400):P br-lan:!10.75.22.3,10.75.22.247 0.0.0.0/0 tcp
80
NF-(N)-> mangle:~excl0
NF-(!O4)-> mangle:~excl0
NF-(A)-> mangle:tcpre:4 -A tcpre -p 6 --dport 80 -i
br-lan -j ~excl0
NF-(A)-> mangle:~excl0:1 -A ~excl0 -s 10.75.22.3 -j
RETURN
NF-(A)-> mangle:~excl0:2 -A ~excl0 -s 10.75.22.247 -j
RETURN
NF-(A)-> mangle:~excl0:3 -A ~excl0 -j MARK --set-mark
0x400
Mangle Rule "MARK(0x400):P br-lan:!10.75.22.3,10.75.22.247 0.0.0.0/0 tcp 80" 0
IN===> MARK(0x400):P br-guest:!10.75.22.3,10.75.22.247 0.0.0.0/0 tcp
80
NF-(N)-> mangle:~excl1
NF-(!O4)-> mangle:~excl1
NF-(A)-> mangle:tcpre:5 -A tcpre -p 6 --dport 80 -i
br-guest -j ~excl1
NF-(A)-> mangle:~excl1:1 -A ~excl1 -s 10.75.22.3 -j
RETURN
NF-(A)-> mangle:~excl1:2 -A ~excl1 -s 10.75.22.247 -j
RETURN
NF-(A)-> mangle:~excl1:3 -A ~excl1 -j MARK --set-mark
0x400
Mangle Rule "MARK(0x400):P br-guest:!10.75.22.3,10.75.22.247 0.0.0.0/0 tcp
80" 0
...
:~excl0 - [0:0]
:~excl1 - [0:0]
-A PREROUTING -j CONNMARK --restore-mark --mask 0xff00
-A PREROUTING -i eth0.2 -m mark --mark 0/0xff00 -j routemark
-A PREROUTING -i pppoe-wan1 -m mark --mark 0/0xff00 -j routemark
-A PREROUTING -m mark --mark 0/0xff00 -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-mark 0/0xff00
-A FORWARD -j tcfor
-A OUTPUT -j CONNMARK --restore-mark --mask 0xff00
-A OUTPUT -m mark --mark 0/0xff00 -j tcout
-A POSTROUTING -j tcpost
-A routemark -i eth0.2 -j MARK --set-mark 0x100/0xff00
-A routemark -i pppoe-wan1 -j MARK --set-mark 0x200/0xff00
-A routemark -m mark ! --mark 0/0xff00 -j CONNMARK --save-mark --mask 0xff00
-A tcfor -p 6 -j CONNMARK --restore-mark --mask 0xff
-A tcfor -p 6 -m mark ! --mark 0/0xff -j RETURN
-A tcfor -p 6 -m mark --mark 1/0xff -j CONNMARK --save-mark --mask 0xff
-A tcfor -p 0 -m mark --mark 0/0xff -j CONNMARK --restore-mark --mask 0xff
-A tcfor -p 0 -m mark ! --mark 0/0xff -j RETURN
-A tcfor -p 0 -m mark ! --mark 0/0xff -j CONNMARK --save-mark --mask 0xff
-A tcpre ! -s 10.75.22.3 -p 6 --dport 80 -i br-lan -j MARK --set-mark 1024
-A tcpre -p 0 -m mark ! --mark 0/0x300 -j RETURN
-A tcpre -p 6 --dport 25 -i br-lan -j MARK --set-mark 512
-A tcpre -p 6 --dport 80 -i br-lan -j ~excl0
-A tcpre -p 6 --dport 80 -i br-guest -j ~excl1
-A ~excl0 -s 10.75.22.3 -j RETURN
-A ~excl0 -s 10.75.22.247 -j RETURN
-A ~excl0 -j MARK --set-mark 0x400
-A ~excl1 -s 10.75.22.3 -j RETURN
-A ~excl1 -s 10.75.22.247 -j RETURN
-A ~excl1 -j MARK --set-mark 0x400
COMMIT
Is this the difference of versions perhaps?
As another difference, I notice my output includes a tcfor chain which
your does not. My output also includes these rules yours doesn't:
-A tcpre -p 0 -m mark ! --mark 0/0x300 -j RETURN
-A tcpre -p 6 --dport 25 -i br-lan -j MARK --set-mark 512
So there are definitely a number of differences.
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
