Re: [Shorewall-users] Shorewall 5.2.3.3 NFQUEUE policy - Unable to configure a rage of netfilter queues.

Mon, 19 Aug 2019 14:48:13 -0700 

On 8/19/19 2:26 AM, J Cliff Armstrong via Shorewall-users wrote:
> Running Arch Linux kernel 5.2.8-arch1-1-ARCH, Shorewall installed from Arch 
> community repo.
> 
> I'm trying to configure the policy:
> 
>> lan wan NFQUEUE(0:1)
> 
> The goal being to utilize two instances of snort (for blocking outgoing 
> sensitive information, in this case) running on separate cores and let 
> netfilter balance connections between them as per the shorewall-policy 
> manpage provided with the arch package and currently available on 
> shorewall.net. "NFQUEUE" passes 'check'. "NFQUEUE(0)" passes 'check'. 
> "NFQUEUE(0:1)" fails 'check' with the error:
> 
>> Checking /etc/shorewall/policy...
>> ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line 15)
> 
> Perhaps I'm misunderstanding the documented syntax? Additionally, is the 
> syntax really different from the NFQUEUE action in the shorewall-rules? I'm 
> hoping "no" but, of course, the documentation says it is.
> 

It's a bug. Patch attached.

-Tom

PS: I assume that your version is 5.2.3... There is no version 5.2.8.
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 7499b692c..13d6f88de 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -721,7 +721,13 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $pactions );
+
+    if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+	( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+    } else {
+	( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    }
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to