Re: [Shorewall-users] Error when checking shorewall6 config containing redirect rule.

Tom Eastep Tue, 25 Feb 2020 09:23:28 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2/24/20 5:11 PM, J Cliff Armstrong via Shorewall-users wrote:
> Using Shorewall 5.2.3.6, configuration was previously working
> without issue. Full trace attached.
>
> I added the following lines in the NEW section in
> `/etc/shorewall/rules`:
>
>> ?COMMENT Redirect Out #catch leaky DNS queries and redirect them
>> to our own dns server DNS(REDIRECT)                       lan 53
>> -
> 53        -         !&lan
>> DNS(REDIRECT)                       fw 53                -
>>
> 53        -         !::1
>
> when I ran `shorewall6 check` via sudo I received this:
>
>> Checking using Shorewall 5.2.3.6... Processing
>> /etc/shorewall6/params ... Processing
>> /etc/shorewall6/shorewall6.conf... Loading Modules... Checking
>> /etc/shorewall6/zones... Checking /etc/shorewall6/interfaces...
>> Determining Hosts in Zones... Locating Action Files... Checking
>> /etc/shorewall6/policy... Adding rules for DHCP Checking TCP
>> Flags filtering... Checking Accept Routing Advertisements...
>> Checking MAC Filtration -- Phase 1... Checking
>> /etc/shorewall6/rules... ERROR: Internal error in
>> Shorewall::Chains::set_rule_option at
> /usr/share/shorewall/Shorewall/Chains.pm line 1153
> /etc/shorewall6/rules (line 52) at
> /usr/share/shorewall/Shorewall/Config.pm line 1576.
>> Shorewall::Config::fatal_error("Internal error in
> Shorewall::Chains::set_rule_option at /usr/"...) called at
> /usr/share/shorewall/Shorewall/Config.pm line 1619
>> Shorewall::Config::assert("") called at
> /usr/share/shorewall/Shorewall/Chains.pm line 1153
>> Shorewall::Chains::set_rule_option(HASH(0x55beab832f98),
>> "conntrack",
> "--ctorigdst ! \$SW_LAN_ADDRESS") called at
> /usr/share/shorewall/Shorewall/Chains.pm line 1266
>> Shorewall::Chains::transform_rule("-p 6 --dport 53 -m
> conntrack --ctorigdstport 53 -m conntrack"...,
> SCALAR(0x55beaa73ec50)) called at
> /usr/share/shorewall/Shorewall/Chains.pm line 1570
>> Shorewall::Chains::push_rule(HASH(0x55beab7f3ce0), "-p 6
> --dport 53  -m conntrack --ctorigdstport 53 -m conntrack"...)
> called at /usr/share/shorewall/Shorewall/Chains.pm line 1746
>> Shorewall::Chains::add_rule(HASH(0x55beab7f3ce0), "-p 6
> --dport 53  -m conntrack --ctorigdstport 53 -m conntrack"..., 1)
> called at /usr/share/shorewall/Shorewall/Chains.pm line 8257
>> Shorewall::Chains::expand_rule1(HASH(0x55beab7f3ce0), 4, "",
> "-p 6 --dport 53  -m conntrack --ctorigdstport 53 ", "::/0", "",
> "!&lan", "ACCEPT", ...) called at
> /usr/share/shorewall/Shorewall/Chains.pm line 8374
>> Shorewall::Chains::expand_rule(HASH(0x55beab7f3ce0), 4, "",
> "-p 6 --dport 53  -m conntrack --ctorigdstport 53 ", "::/0", "",
> "!&lan", "ACCEPT", ...) called at
> /usr/share/shorewall/Shorewall/Rules.pm line 3344
>> Shorewall::Rules::process_rule(undef, "", "", "REDIRECT", "",
> "lan", 53, "tcp", ...) called at
> /usr/share/shorewall/Shorewall/Rules.pm line 3816
>> Shorewall::Rules::process_raw_rule1("REDIRECT", "lan", 53,
> "tcp,udp", 53, "-", "!&lan", "-", ...) called at
> /usr/share/shorewall/Shorewall/Rules.pm line 3885
>> Shorewall::Rules::process_raw_rule() called at
> /usr/share/shorewall/Shorewall/Rules.pm line 3985
>> Shorewall::Rules::process_rules() called at
> /usr/share/shorewall/Shorewall/Compiler.pm line 802
>> Shorewall::Compiler::compiler("script", "", "directory", "",
> "verbosity", 1, "timestamp", 0, ...) called at
> /usr/share/shorewall/compiler.pl line 137
>
> Creating the REDIRECT rules without using a macro produces the
> same result. Notably, my IPv4 installation of shorewall has no
> issue with the same rules.
>
> Is there a difference in syntax between shorewall and shorewall6
> for REDIRECT rules? I didn't see anything in the documentation
> specifying such.
>



What is the output of the following two commands?

shorewall show -f capabilities | fgrep CONNTRACK
shorewall6 show -f capabilities | fgrep CONNTRACK

Also, which kernel version are you running?

Thanks,
- -Tom
- -- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5VV1wACgkQluaz8kI6
TRCRIw//QwASvwOhNsHP4nHA66j+SCnwlal4Z6RfnJybGtDH7iATzwbPNan2KEgG
cJY0y0SrhtzfusUXP7TLCS4R1yeVa7YvnhkwZ/+IAcTVsncRXWLbu5xVK0tikvnB
iiUj6y+rZm9gMnn6aLu+xJeHfavgS9r7+IGMfUrDwtH2eTiyVaPJVTQpXx/okE6k
XybzKkuUisLnzkTf67/qBd5j8hQkLxrqDp1Y3O+XLz3q2syHH5uB7FK6BTjRg6Ch
jMOKJzqE0XQtW79gVgIA8rGamrHoJYrLlFXsqP94u1ize2r2vcGbr5yu6aVcYGp2
o/obriiolnyJv6AjNJ1bvpGjmKSu3GjN9ejsZw3ozY0E3/pyi1smQuHJ4WtJvPzB
CRyoEORTwCiT6ehT+0xDsc3WT/KEyX3FueBOgPEUA9wkrcEm1o/iyuTjm8Zlf3Ji
EJpR/HGvQwF8RjJ6DLb4yqp1H9EhO3ij86Lu9VOJwTxF81kRb96KZATTOcZH9sf+
q5GMnlenTv6ZbiAvGWAofb42UlaPX824SdVyZfN4gQ+PFePTlEEbODe15Q5JsepL
Mi2wyFmZQRWcCcXjGJ5gsuMzxpZSEWdh1rQlhk4NDzh7JSuHgfYfz9eopDsXH25c
OP2iAEmBt33vk1MccL5qklAKoGGcD73krhfCDPrzVHZsZ4IEvgE=
=777c
-----END PGP SIGNATURE-----


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Error when checking shorewall6 config containing redirect rule.

Reply via email to