On 2/25/20 1:31 PM, Tom Eastep wrote:
> On 2/25/20 1:10 PM, J Cliff Armstrong via Shorewall-users wrote:
>> On 2/25/2020 11:20 AM, Tom Eastep wrote:
>>> On 2/24/20 5:11 PM, J Cliff Armstrong via Shorewall-users wrote:
>>>> Using Shorewall 5.2.3.6, configuration was previously working
>>>> without issue. Full trace attached.
>>>
>>>> I added the following lines in the NEW section in
>>>> `/etc/shorewall/rules`:
>>>
>>>>> ?COMMENT Redirect Out #catch leaky DNS queries and redirect
>>>>> them to our own dns server DNS(REDIRECT)
>>>>> lan 53 -
>>>> 53 - !&lan
>>>>> DNS(REDIRECT) fw 53 -
>>>>>
>>>> 53 - !::1
>>>
>>>> when I ran `shorewall6 check` via sudo I received this:
>>>
>>>>> Checking using Shorewall 5.2.3.6... Processing
>>>>> /etc/shorewall6/params ... Processing
>>>>> /etc/shorewall6/shorewall6.conf... Loading Modules...
>>>>> Checking /etc/shorewall6/zones... Checking
>>>>> /etc/shorewall6/interfaces... Determining Hosts in Zones...
>>>>> Locating Action Files... Checking /etc/shorewall6/policy...
>>>>> Adding rules for DHCP Checking TCP Flags filtering...
>>>>> Checking Accept Routing Advertisements... Checking MAC
>>>>> Filtration -- Phase 1... Checking /etc/shorewall6/rules...
>>>>> ERROR: Internal error in Shorewall::Chains::set_rule_option
>>>>> at
>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153
>>>> /etc/shorewall6/rules (line 52) at
>>>> /usr/share/shorewall/Shorewall/Config.pm line 1576.
>>>>> Shorewall::Config::fatal_error("Internal error in
>>>> Shorewall::Chains::set_rule_option at /usr/"...) called at
>>>> /usr/share/shorewall/Shorewall/Config.pm line 1619
>>>>> Shorewall::Config::assert("") called at
>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153
>>>>> Shorewall::Chains::set_rule_option(HASH(0x55beab832f98),
>>>>> "conntrack",
>>>> "--ctorigdst ! \$SW_LAN_ADDRESS") called at
>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1266
>>>>> Shorewall::Chains::transform_rule("-p 6 --dport 53 -m
>>>> conntrack --ctorigdstport 53 -m conntrack"...,
>>>> SCALAR(0x55beaa73ec50)) called at
>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1570
>>>>> Shorewall::Chains::push_rule(HASH(0x55beab7f3ce0), "-p 6
>>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...)
>>>> called at /usr/share/shorewall/Shorewall/Chains.pm line 1746
>>>>> Shorewall::Chains::add_rule(HASH(0x55beab7f3ce0), "-p 6
>>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...,
>>>> 1) called at /usr/share/shorewall/Shorewall/Chains.pm line
>>>> 8257
>>>>> Shorewall::Chains::expand_rule1(HASH(0x55beab7f3ce0), 4, "",
>>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0",
>>>> "", "!&lan", "ACCEPT", ...) called at
>>>> /usr/share/shorewall/Shorewall/Chains.pm line 8374
>>>>> Shorewall::Chains::expand_rule(HASH(0x55beab7f3ce0), 4, "",
>>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0",
>>>> "", "!&lan", "ACCEPT", ...) called at
>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3344
>>>>> Shorewall::Rules::process_rule(undef, "", "", "REDIRECT",
>>>>> "",
>>>> "lan", 53, "tcp", ...) called at
>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3816
>>>>> Shorewall::Rules::process_raw_rule1("REDIRECT", "lan", 53,
>>>> "tcp,udp", 53, "-", "!&lan", "-", ...) called at
>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3885
>>>>> Shorewall::Rules::process_raw_rule() called at
>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3985
>>>>> Shorewall::Rules::process_rules() called at
>>>> /usr/share/shorewall/Shorewall/Compiler.pm line 802
>>>>> Shorewall::Compiler::compiler("script", "", "directory", "",
>>>> "verbosity", 1, "timestamp", 0, ...) called at
>>>> /usr/share/shorewall/compiler.pl line 137
>>>
>>>> Creating the REDIRECT rules without using a macro produces the
>>>> same result. Notably, my IPv4 installation of shorewall has no
>>>> issue with the same rules.
>>>
>>>> Is there a difference in syntax between shorewall and
>>>> shorewall6 for REDIRECT rules? I didn't see anything in the
>>>> documentation specifying such.
>>>
>>>
>>>
>>> What is the output of the following two commands?
>>>
>>> shorewall show -f capabilities | fgrep CONNTRACK shorewall6 show
>>> -f capabilities | fgrep CONNTRACK
>>>
>>> Also, which kernel version are you running?
>>>
>>> Thanks, -Tom
>
>> Here you go:
>
>>> wolferz@tiphares ~ $ sudo shorewall show -f capabilities | fgrep
>>> CONNTRACK CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes
>>> OLD_CONNTRACK_MATCH= wolferz@tiphares ~ $ sudo shorewall6 show -f
>>> capabilities | fgrep
>> CONNTRACK
>>> CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes OLD_CONNTRACK_MATCH=
>>> wolferz@tiphares ~ $ uname -a Linux tiphares 5.5.5-arch1-1 #1 SMP
>>> PREEMPT Thu, 20 Feb 2020 18:23:09
>> +0000 x86_64 GNU/Linux
>
>
> Okay -- the compiler is mis-detecting the OLD_CONNTRACK_MATCH
> capability. You can work around this temporarily through using a
> shorewall6 capabilities file (the CLI correctly detects the capability).
>
> I'll have a patch ready later today.
Here is the patch:
. /usr/share/shorewall/shorewallrc
cd $PERLLIBDIR/Shorewall
patch -p4 < path/to/OLD_CONNTRACK_MATCH.patch
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
