On 07/23/2017 11:40 AM, Tom Eastep wrote: > On 07/23/2017 09:53 AM, Hesham Ahmed wrote: >> I tried to use ipsets in tcfilters (after enabling BASIC_FILTERS in >> shorewall.conf). "shorewall check" gave no errors but starting shorewall >> failed with the error below. Shorewall version is 5.1.5 >> >> Adding Providers... >> Setting up Traffic Control... >> cmp: invalid mask >> ... cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask ffff eq >> 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 >>)<< ... >> ... cmp(u16 at 0 layer 2 mask >>ffff<< eq 0x0016)... >> Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE) >> where: ALIGN := { u8 | u16 | u32 } >> ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ] >> LAYER := { link | network | transport | 0..2 } >> >> Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20) >> Illegal "ematch" >> ERROR: Command "tc filter add dev ifb0 protocol ip parent 3:0 prio 1 >> basic match cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask >> ffff eq 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 ) >> flowid 3:110" Failed >> > > It would certainly make this a lot easier to analyze if you would send > me (privately) a tarball of your configuration. >
Although, I suspect that the attached patch may eliminate the problem. . /usr/share/shorewall/shorewallrc patch $PERLLIBDIR/Shorewall/Tc.pm < TCFILTER_SPORT.patch -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 452a3b9cf..49dc7f6a4 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1434,7 +1434,7 @@ sub process_tc_filter2( $$$$$$$$$ ) { while ( @sportlist ) { my ( $sport, $smask ) = ( shift @sportlist, shift @sportlist ); - $rule .= "\\\n cmp\\( u16 at 0 layer 2 mask $smask eq 0x$sport \\)"; + $rule .= "\\\n cmp\\( u16 at 0 layer 2 mask 0x$smask eq 0x$sport \\)"; $rule .= ' or' if @sportlist; }
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users