On 07/23/2017 11:40 AM, Tom Eastep wrote:
> On 07/23/2017 09:53 AM, Hesham Ahmed wrote:
>> I tried to use ipsets in tcfilters (after enabling BASIC_FILTERS in
>> shorewall.conf). "shorewall check" gave no errors but starting shorewall
>> failed with the error below. Shorewall version is 5.1.5
>>
>> Adding Providers...
>> Setting up Traffic Control...
>> cmp: invalid mask
>> ... cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask ffff eq
>> 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 >>)<< ...
>> ... cmp(u16 at 0 layer 2 mask >>ffff<< eq 0x0016)...
>> Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE)
>> where: ALIGN := { u8 | u16 | u32 }
>> ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
>> LAYER := { link | network | transport | 0..2 }
>>
>> Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20)
>> Illegal "ematch"
>> ERROR: Command "tc filter add dev ifb0 protocol ip parent 3:0 prio 1
>> basic match cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask
>> ffff eq 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 )
>> flowid 3:110" Failed
>>
>
> It would certainly make this a lot easier to analyze if you would send
> me (privately) a tarball of your configuration.
>
Although, I suspect that the attached patch may eliminate the problem.
. /usr/share/shorewall/shorewallrc
patch $PERLLIBDIR/Shorewall/Tc.pm < TCFILTER_SPORT.patch
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 452a3b9cf..49dc7f6a4 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
while ( @sportlist ) {
my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist );
- $rule .= "\\\n cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)";
+ $rule .= "\\\n cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)";
$rule .= ' or' if @sportlist;
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
