August 21, 2019 9:54 PM, "Tom Eastep" <teas...@shorewall.net> wrote:
> On 8/21/19 3:20 PM, J Cliff Armstrong via Shorewall-users wrote: > >> August 21, 2019 1:53 PM, "J Cliff Armstrong via Shorewall-users" >> <shorewall-users@lists.sourceforge.net> wrote: >> >>> August 19, 2019 5:50 PM, "J Cliff Armstrong via Shorewall-users" >>> <shorewall-users@lists.sourceforge.net> wrote: >> >> August 19, 2019 4:47 PM, "Tom Eastep" <teas...@shorewall.net> wrote: >> >> On 8/19/19 2:26 AM, J Cliff Armstrong via Shorewall-users wrote: >> >> Running Arch Linux kernel 5.2.8-arch1-1-ARCH, Shorewall installed from Arch >> community repo. >> >> I'm trying to configure the policy: >> lan wan NFQUEUE(0:1) >> >> The goal being to utilize two instances of snort (for blocking outgoing >> sensitive information, in >> this case) running on separate cores and let netfilter balance connections >> between them as per the >> shorewall-policy manpage provided with the arch package and currently >> available on shorewall.net. >> "NFQUEUE" passes 'check'. "NFQUEUE(0)" passes 'check'. "NFQUEUE(0:1)" fails >> 'check' with the error: >> Checking /etc/shorewall/policy... >> ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line 15) >> >> Perhaps I'm misunderstanding the documented syntax? Additionally, is the >> syntax really different >> from the NFQUEUE action in the shorewall-rules? I'm hoping "no" but, of >> course, the documentation >> says it is. >> It's a bug. Patch attached. >> >> -Tom >> >> PS: I assume that your version is 5.2.3... There is no version 5.2.8. >> -- >> Tom Eastep \ Q: What do you get when you cross a mobster with >> Shoreline, \ an international standard? >> Washington, USA \ A: Someone who makes you an offer you can't >> http://shorewall.org \ understand >> \_______________________________________________ >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> Hey, thanks Tom. I appreciate it. I had just pulled the latest source from >> git after actually >> taking a look at the code in my local copy. My knowledge of Perl is 2 >> decades out of date so I >> wasn't sure if what I thought I saw was really there. >> >> Thanks again! >> >> Regards, >> J Cliff Armstrong >> >> P.S. Correct. My Shorewall version is 5.2.3.3. My Kernel version is 5.2.8 >> w/Arch distro patches >> applied. Sorry if I was unclear. Next time(?) I'll put the version info for >> Shorewall in the body >> instead of the subject. >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> Hmm, looks like something similar is happening with macros (should this be >>> a new thread?). With the >>> following rules in `/etc/shorewall/rules`: >> >> BitTorrent32(DNAT-) wan lan:10.5.1.1 >> BitTorrent32(NFQUEUE(0:1c,bypass)) wan lan:10.5.1.1 >>> I get the following when running `-v2 check`: >> >> ..Expanding Macro /usr/share/shorewall/macro.BitTorrent... >> ERROR: Invalid ACTION (PARAM:1c,bypass))) >> /usr/share/shorewall/macro.BitTorrent (line 12) >> from /etc/shorewall/rules (line 40) >>> What I'm trying to do is create a DNAT rule using an explicit NFQUEUE >>> instead of an implicit >>> ACCEPT. The plan is to implement this as a custom action or macro to >>> simplify the management of >>> rules. >>> >>> Unfortunately, `trace compile` is pretty unhelpful in this case... ending >>> without an error (and >>> thus no line number for the problematic code). Else I'd have worked up a >>> pull request with a fix. >>> >>> Trace attached. >>> >>> Regards, >>> J Cliff Armstrong >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> Apologies, I somehow managed to save and gzip the output of `shorewall -v2 >> compile` and attach that >> to my last message instead of `shorewall trace compile`. *Actual* (verified) >> trace attached to this >> message, not the previous. >> >> It also appears this trace *does* have line numbers for the error... I'll >> poke at it while I wait >> for a response. > > Patch attached -- this one supersedes the earlier patch. > > -Tom > -- > Tom Eastep \ Q: What do you get when you cross a mobster with > Shoreline, \ an international standard? > Washington, USA \ A: Someone who makes you an offer you can't > http://shorewall.org \ understand > \_______________________________________________ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users Works like a charm. Thanks again. Regards, J Cliff Armstrong _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
