Re: [Shorewall-users] Shorewall6: Mr. Mangle not happy

Mon, 07 Sep 2015 11:04:39 -0700 

On 9/7/2015 6:19 AM, Bill Shirley wrote:
> I've run into a problem with using SAVE(0x3ffff) and RESTORE(0x3ffff) in the 
> mangle table:
> [0:root@elmo dhcp]$ shorewall6 check
> Checking...
> Processing /etc/shorewall6/params ...
> Processing /etc/shorewall6/shorewall6.conf...
> Loading Modules...
> Checking /etc/shorewall6/zones...
> Checking /etc/shorewall6/interfaces...
> Checking /etc/shorewall6/hosts...
> Determining Hosts in Zones...
> Locating Action Files...
> Checking /etc/shorewall6/policy...
> Adding rules for DHCP
> Checking TCP Flags filtering...
> Checking Accept Routing Advertisements...
> Checking /etc/shorewall6/mangle...
>     ERROR: Mark value (0x3ff00) too large /etc/shorewall6/mangle (line 106)
> 
> Line 106 is a RESTORE:
> RESTORE($CONNMASK) $FW                             -                       
> all     { test=0/$CONNMASK }
> 
> It's the RESTORE operand that's failing.  If I code 0xff for the test operand 
> it still fails.  However, if I
> code 0xff for RESTORE it's happy.  Also note, it's a mask; not a mark.
> 
> 
> [2:root@elmo shorewall6]$ rpm -q shorewall6
> shorewall6-4.6.11.1-2.fc22.noarch
> 
> /etc/shorewall6/params:
> CONNMASK=0x3ff00
> IPSEC_MARK=0x10000
> 
> 
> /var/lib/shorewall6/marks:
> Traffic Shaping:0-255 (0x0-0xff) mask 0xff
> User:256-16776960 (0x100-0xffff00) mask 0xffff00
> Provider: Not Enabled
> Zone:16777216-520093696 (0x1000000-0x1f000000) mask 0x1f000000
> Exclusion:536870912 mask 0x20000000
> TProxy:1073741824 mask 0x40000000
> 
> grep -i -e bits -e wide -e high shorewall6.conf:
> TC_BITS=
> PROVIDER_BITS=
> MASK_BITS=
> ZONE_BITS=0
> TC_BITS=8
> MASK_BITS=8
> PROVIDER_BITS=0
> ZONE_BITS=5
> 
> How can I make Mr. Mangle happy?
> 

Set TC_EXPERT=Yes and PROVIDER_OFFSET=18 in shorewall.conf. And you will
have to replace 'all' in your rule by '-' to avoid another error :-)

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to