Re: [Shorewall-users] ipset in tcfilters error

Sun, 23 Jul 2017 12:08:46 -0700 

On 07/23/2017 11:40 AM, Tom Eastep wrote:
> On 07/23/2017 09:53 AM, Hesham Ahmed wrote:
>> I tried to use ipsets in tcfilters (after enabling BASIC_FILTERS in
>> shorewall.conf). "shorewall check" gave no errors but starting shorewall
>> failed with the error below. Shorewall version is 5.1.5
>>
>> Adding Providers...
>> Setting up Traffic Control...
>> cmp: invalid mask
>> ... cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask ffff eq
>> 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 >>)<< ...
>> ... cmp(u16 at 0 layer 2 mask >>ffff<< eq 0x0016)...
>> Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE)
>> where: ALIGN  := { u8 | u16 | u32 }
>>        ATTRS  := [ layer LAYER ] [ mask MASK ] [ trans ]
>>        LAYER  := { link | network | transport | 0..2 }
>>
>> Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20)
>> Illegal "ematch"
>>    ERROR: Command "tc filter add dev ifb0 protocol ip parent 3:0 prio 1
>> basic match cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask
>> ffff eq 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 )
>> flowid 3:110" Failed
>>
> 
> It would certainly make this a lot easier to analyze if you would send
> me (privately) a tarball of your configuration.
> 

Although, I suspect that the attached patch may eliminate the problem.

    . /usr/share/shorewall/shorewallrc
    patch $PERLLIBDIR/Shorewall/Tc.pm < TCFILTER_SPORT.patch

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 452a3b9cf..49dc7f6a4 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 
 	    while ( @sportlist ) {
 		my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
-		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
+		$rule .= "\\\n   cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
 		$rule .= ' or' if @sportlist;
 	    }

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to