August 21, 2019 1:53 PM, "J Cliff Armstrong via Shorewall-users" <shorewall-users@lists.sourceforge.net> wrote:
> August 19, 2019 5:50 PM, "J Cliff Armstrong via Shorewall-users" > <shorewall-users@lists.sourceforge.net> wrote: > >> August 19, 2019 4:47 PM, "Tom Eastep" <teas...@shorewall.net> wrote: >> >>> On 8/19/19 2:26 AM, J Cliff Armstrong via Shorewall-users wrote: >> >> Running Arch Linux kernel 5.2.8-arch1-1-ARCH, Shorewall installed from Arch >> community repo. >> >> I'm trying to configure the policy: >>> lan wan NFQUEUE(0:1) >> >> The goal being to utilize two instances of snort (for blocking outgoing >> sensitive information, in >> this case) running on separate cores and let netfilter balance connections >> between them as per the >> shorewall-policy manpage provided with the arch package and currently >> available on shorewall.net. >> "NFQUEUE" passes 'check'. "NFQUEUE(0)" passes 'check'. "NFQUEUE(0:1)" fails >> 'check' with the error: >>> Checking /etc/shorewall/policy... >>> ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line 15) >> >> Perhaps I'm misunderstanding the documented syntax? Additionally, is the >> syntax really different >> from the NFQUEUE action in the shorewall-rules? I'm hoping "no" but, of >> course, the documentation >> says it is. >>> It's a bug. Patch attached. >>> >>> -Tom >>> >>> PS: I assume that your version is 5.2.3... There is no version 5.2.8. >>> -- >>> Tom Eastep \ Q: What do you get when you cross a mobster with >>> Shoreline, \ an international standard? >>> Washington, USA \ A: Someone who makes you an offer you can't >>> http://shorewall.org \ understand >>> \_______________________________________________ >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> Hey, thanks Tom. I appreciate it. I had just pulled the latest source from >> git after actually >> taking a look at the code in my local copy. My knowledge of Perl is 2 >> decades out of date so I >> wasn't sure if what I thought I saw was really there. >> >> Thanks again! >> >> Regards, >> J Cliff Armstrong >> >> P.S. Correct. My Shorewall version is 5.2.3.3. My Kernel version is 5.2.8 >> w/Arch distro patches >> applied. Sorry if I was unclear. Next time(?) I'll put the version info for >> Shorewall in the body >> instead of the subject. >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > Hmm, looks like something similar is happening with macros (should this be a > new thread?). With the > following rules in `/etc/shorewall/rules`: > >> BitTorrent32(DNAT-) wan lan:10.5.1.1 >> BitTorrent32(NFQUEUE(0:1c,bypass)) wan lan:10.5.1.1 > > I get the following when running `-v2 check`: > >> ..Expanding Macro /usr/share/shorewall/macro.BitTorrent... >> ERROR: Invalid ACTION (PARAM:1c,bypass))) >> /usr/share/shorewall/macro.BitTorrent (line 12) >> from /etc/shorewall/rules (line 40) > > What I'm trying to do is create a DNAT rule using an explicit NFQUEUE instead > of an implicit > ACCEPT. The plan is to implement this as a custom action or macro to simplify > the management of > rules. > > Unfortunately, `trace compile` is pretty unhelpful in this case... ending > without an error (and > thus no line number for the problematic code). Else I'd have worked up a pull > request with a fix. > > Trace attached. > > Regards, > J Cliff Armstrong > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users Apologies, I somehow managed to save and gzip the output of `shorewall -v2 compile` and attach that to my last message instead of `shorewall trace compile`. *Actual* (verified) trace attached to this message, not the previous. It also appears this trace *does* have line numbers for the error... I'll poke at it while I wait for a response. Regards, J Cliff Armstrong
shorewall_trace.gz
Description: GNU Zip compressed data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
