On 07/23/2017 09:53 AM, Hesham Ahmed wrote:
> I tried to use ipsets in tcfilters (after enabling BASIC_FILTERS in
> shorewall.conf). "shorewall check" gave no errors but starting shorewall
> failed with the error below. Shorewall version is 5.1.5
>
> Adding Providers...
> Setting up Traffic Control...
> cmp: invalid mask
> ... cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask ffff eq
> 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 >>)<< ...
> ... cmp(u16 at 0 layer 2 mask >>ffff<< eq 0x0016)...
> Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE)
> where: ALIGN := { u8 | u16 | u32 }
> ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
> LAYER := { link | network | transport | 0..2 }
>
> Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20)
> Illegal "ematch"
> ERROR: Command "tc filter add dev ifb0 protocol ip parent 3:0 prio 1
> basic match cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask
> ffff eq 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 )
> flowid 3:110" Failed
> It would certainly make this a lot easier to analyze if you would send me (privately) a tarball of your configuration. Thanks, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
