On 2/25/2020 11:20 AM, Tom Eastep wrote:
> On 2/24/20 5:11 PM, J Cliff Armstrong via Shorewall-users wrote:
> > Using Shorewall 5.2.3.6, configuration was previously working
> > without issue. Full trace attached.
>
> > I added the following lines in the NEW section in
> > `/etc/shorewall/rules`:
>
> >> ?COMMENT Redirect Out #catch leaky DNS queries and redirect them
> >> to our own dns server DNS(REDIRECT) lan 53
> >> -
> > 53 - !&lan
> >> DNS(REDIRECT) fw 53 -
> >>
> > 53 - !::1
>
> > when I ran `shorewall6 check` via sudo I received this:
>
> >> Checking using Shorewall 5.2.3.6... Processing
> >> /etc/shorewall6/params ... Processing
> >> /etc/shorewall6/shorewall6.conf... Loading Modules... Checking
> >> /etc/shorewall6/zones... Checking /etc/shorewall6/interfaces...
> >> Determining Hosts in Zones... Locating Action Files... Checking
> >> /etc/shorewall6/policy... Adding rules for DHCP Checking TCP
> >> Flags filtering... Checking Accept Routing Advertisements...
> >> Checking MAC Filtration -- Phase 1... Checking
> >> /etc/shorewall6/rules... ERROR: Internal error in
> >> Shorewall::Chains::set_rule_option at
> > /usr/share/shorewall/Shorewall/Chains.pm line 1153
> > /etc/shorewall6/rules (line 52) at
> > /usr/share/shorewall/Shorewall/Config.pm line 1576.
> >> Shorewall::Config::fatal_error("Internal error in
> > Shorewall::Chains::set_rule_option at /usr/"...) called at
> > /usr/share/shorewall/Shorewall/Config.pm line 1619
> >> Shorewall::Config::assert("") called at
> > /usr/share/shorewall/Shorewall/Chains.pm line 1153
> >> Shorewall::Chains::set_rule_option(HASH(0x55beab832f98),
> >> "conntrack",
> > "--ctorigdst ! \$SW_LAN_ADDRESS") called at
> > /usr/share/shorewall/Shorewall/Chains.pm line 1266
> >> Shorewall::Chains::transform_rule("-p 6 --dport 53 -m
> > conntrack --ctorigdstport 53 -m conntrack"...,
> > SCALAR(0x55beaa73ec50)) called at
> > /usr/share/shorewall/Shorewall/Chains.pm line 1570
> >> Shorewall::Chains::push_rule(HASH(0x55beab7f3ce0), "-p 6
> > --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...)
> > called at /usr/share/shorewall/Shorewall/Chains.pm line 1746
> >> Shorewall::Chains::add_rule(HASH(0x55beab7f3ce0), "-p 6
> > --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"..., 1)
> > called at /usr/share/shorewall/Shorewall/Chains.pm line 8257
> >> Shorewall::Chains::expand_rule1(HASH(0x55beab7f3ce0), 4, "",
> > "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0", "",
> > "!&lan", "ACCEPT", ...) called at
> > /usr/share/shorewall/Shorewall/Chains.pm line 8374
> >> Shorewall::Chains::expand_rule(HASH(0x55beab7f3ce0), 4, "",
> > "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0", "",
> > "!&lan", "ACCEPT", ...) called at
> > /usr/share/shorewall/Shorewall/Rules.pm line 3344
> >> Shorewall::Rules::process_rule(undef, "", "", "REDIRECT", "",
> > "lan", 53, "tcp", ...) called at
> > /usr/share/shorewall/Shorewall/Rules.pm line 3816
> >> Shorewall::Rules::process_raw_rule1("REDIRECT", "lan", 53,
> > "tcp,udp", 53, "-", "!&lan", "-", ...) called at
> > /usr/share/shorewall/Shorewall/Rules.pm line 3885
> >> Shorewall::Rules::process_raw_rule() called at
> > /usr/share/shorewall/Shorewall/Rules.pm line 3985
> >> Shorewall::Rules::process_rules() called at
> > /usr/share/shorewall/Shorewall/Compiler.pm line 802
> >> Shorewall::Compiler::compiler("script", "", "directory", "",
> > "verbosity", 1, "timestamp", 0, ...) called at
> > /usr/share/shorewall/compiler.pl line 137
>
> > Creating the REDIRECT rules without using a macro produces the
> > same result. Notably, my IPv4 installation of shorewall has no
> > issue with the same rules.
>
> > Is there a difference in syntax between shorewall and shorewall6
> > for REDIRECT rules? I didn't see anything in the documentation
> > specifying such.
>
>
>
> What is the output of the following two commands?
>
> shorewall show -f capabilities | fgrep CONNTRACK
> shorewall6 show -f capabilities | fgrep CONNTRACK
>
> Also, which kernel version are you running?
>
> Thanks,
> -TomHere you go: > wolferz@tiphares ~ $ sudo shorewall show -f capabilities | fgrep CONNTRACK > CONNTRACK_MATCH=Yes > NEW_CONNTRACK_MATCH=Yes > OLD_CONNTRACK_MATCH= > wolferz@tiphares ~ $ sudo shorewall6 show -f capabilities | fgrep CONNTRACK > CONNTRACK_MATCH=Yes > NEW_CONNTRACK_MATCH=Yes > OLD_CONNTRACK_MATCH= > wolferz@tiphares ~ $ uname -a > Linux tiphares 5.5.5-arch1-1 #1 SMP PREEMPT Thu, 20 Feb 2020 18:23:09 +0000 x86_64 GNU/Linux -- - J Cliff Armstrong - AKA JadedDragoon
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
