Re: [Shorewall-users] small bug with transparent proxy configuration?

Wed, 19 Aug 2015 12:37:13 -0700 


On 08/19/2015 12:15 PM, Tom Eastep wrote:
> 
> 
> On 08/19/2015 11:45 AM, Brian J. Murrell wrote:
>> On Wed, 2015-08-19 at 11:08 -0700, Tom Eastep wrote:
>>> Right -- and it isn't there when I compile this configuration:
>>>
>>> shorewall trace -vvv check -r . | less
> 
>> It is here when I do the same thing:
>>
>> Checking /etc/shorewall/gw-BB/mangle...
>> IN===> MARK(0x400):P    br-lan:!10.75.22.3,10.75.22.247 0.0.0.0/0       tcp  
>>    80
>>                 NF-(N)-> mangle:~excl0          
>>                 NF-(!O4)-> mangle:~excl0        
>>                 NF-(A)-> mangle:tcpre:4         -A tcpre -p 6 --dport 80 -i 
>> br-lan -j ~excl0 
>>                 NF-(A)-> mangle:~excl0:1        -A ~excl0 -s 10.75.22.3 -j 
>> RETURN 
>>                 NF-(A)-> mangle:~excl0:2        -A ~excl0 -s 10.75.22.247 -j 
>> RETURN 
>>                 NF-(A)-> mangle:~excl0:3        -A ~excl0 -j MARK --set-mark 
>> 0x400 
>>    Mangle Rule "MARK(0x400):P br-lan:!10.75.22.3,10.75.22.247 0.0.0.0/0 tcp 
>> 80" 0
>> IN===> MARK(0x400):P    br-guest:!10.75.22.3,10.75.22.247 0.0.0.0/0     tcp  
>>    80
>>                 NF-(N)-> mangle:~excl1          
>>                 NF-(!O4)-> mangle:~excl1        
>>                 NF-(A)-> mangle:tcpre:5         -A tcpre -p 6 --dport 80 -i 
>> br-guest -j ~excl1 
>>                 NF-(A)-> mangle:~excl1:1        -A ~excl1 -s 10.75.22.3 -j 
>> RETURN 
>>                 NF-(A)-> mangle:~excl1:2        -A ~excl1 -s 10.75.22.247 -j 
>> RETURN 
>>                 NF-(A)-> mangle:~excl1:3        -A ~excl1 -j MARK --set-mark 
>> 0x400 
>>    Mangle Rule "MARK(0x400):P br-guest:!10.75.22.3,10.75.22.247 0.0.0.0/0 
>> tcp 80" 0
>> ...
> 
> Note that the first entry in mangle creates tcpre rule 4!! Do the same
> thing searching for tcpre and see what is generating rules 1-3.
> 

It's your old tcrules file that is generating the 'extra' rules. Due to
a bug in 4.6.12-RC3, the tcrules file was getting removed and not
processed in my testing.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to