On 2/25/20 4:59 PM, Tom Eastep wrote:
> On 2/25/20 1:31 PM, Tom Eastep wrote:
>> On 2/25/20 1:10 PM, J Cliff Armstrong via Shorewall-users wrote:
>>> On 2/25/2020 11:20 AM, Tom Eastep wrote:
>>>> On 2/24/20 5:11 PM, J Cliff Armstrong via Shorewall-users wrote:
>>>>> Using Shorewall 5.2.3.6, configuration was previously working
>>>>> without issue. Full trace attached.
>>>>
>>>>> I added the following lines in the NEW section in
>>>>> `/etc/shorewall/rules`:
>>>>
>>>>>> ?COMMENT Redirect Out #catch leaky DNS queries and redirect
>>>>>> them to our own dns server DNS(REDIRECT)
>>>>>> lan 53 -
>>>>> 53 - !&lan
>>>>>> DNS(REDIRECT) fw 53 -
>>>>>>
>>>>> 53 - !::1
>>>>
>>>>> when I ran `shorewall6 check` via sudo I received this:
>>>>
>>>>>> Checking using Shorewall 5.2.3.6... Processing
>>>>>> /etc/shorewall6/params ... Processing
>>>>>> /etc/shorewall6/shorewall6.conf... Loading Modules...
>>>>>> Checking /etc/shorewall6/zones... Checking
>>>>>> /etc/shorewall6/interfaces... Determining Hosts in Zones...
>>>>>> Locating Action Files... Checking /etc/shorewall6/policy...
>>>>>> Adding rules for DHCP Checking TCP Flags filtering...
>>>>>> Checking Accept Routing Advertisements... Checking MAC
>>>>>> Filtration -- Phase 1... Checking /etc/shorewall6/rules...
>>>>>> ERROR: Internal error in Shorewall::Chains::set_rule_option
>>>>>> at
>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153
>>>>> /etc/shorewall6/rules (line 52) at
>>>>> /usr/share/shorewall/Shorewall/Config.pm line 1576.
>>>>>> Shorewall::Config::fatal_error("Internal error in
>>>>> Shorewall::Chains::set_rule_option at /usr/"...) called at
>>>>> /usr/share/shorewall/Shorewall/Config.pm line 1619
>>>>>> Shorewall::Config::assert("") called at
>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1153
>>>>>> Shorewall::Chains::set_rule_option(HASH(0x55beab832f98),
>>>>>> "conntrack",
>>>>> "--ctorigdst ! \$SW_LAN_ADDRESS") called at
>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1266
>>>>>> Shorewall::Chains::transform_rule("-p 6 --dport 53 -m
>>>>> conntrack --ctorigdstport 53 -m conntrack"...,
>>>>> SCALAR(0x55beaa73ec50)) called at
>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 1570
>>>>>> Shorewall::Chains::push_rule(HASH(0x55beab7f3ce0), "-p 6
>>>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...)
>>>>> called at /usr/share/shorewall/Shorewall/Chains.pm line 1746
>>>>>> Shorewall::Chains::add_rule(HASH(0x55beab7f3ce0), "-p 6
>>>>> --dport 53 -m conntrack --ctorigdstport 53 -m conntrack"...,
>>>>> 1) called at /usr/share/shorewall/Shorewall/Chains.pm line
>>>>> 8257
>>>>>> Shorewall::Chains::expand_rule1(HASH(0x55beab7f3ce0), 4, "",
>>>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0",
>>>>> "", "!&lan", "ACCEPT", ...) called at
>>>>> /usr/share/shorewall/Shorewall/Chains.pm line 8374
>>>>>> Shorewall::Chains::expand_rule(HASH(0x55beab7f3ce0), 4, "",
>>>>> "-p 6 --dport 53 -m conntrack --ctorigdstport 53 ", "::/0",
>>>>> "", "!&lan", "ACCEPT", ...) called at
>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3344
>>>>>> Shorewall::Rules::process_rule(undef, "", "", "REDIRECT",
>>>>>> "",
>>>>> "lan", 53, "tcp", ...) called at
>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3816
>>>>>> Shorewall::Rules::process_raw_rule1("REDIRECT", "lan", 53,
>>>>> "tcp,udp", 53, "-", "!&lan", "-", ...) called at
>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3885
>>>>>> Shorewall::Rules::process_raw_rule() called at
>>>>> /usr/share/shorewall/Shorewall/Rules.pm line 3985
>>>>>> Shorewall::Rules::process_rules() called at
>>>>> /usr/share/shorewall/Shorewall/Compiler.pm line 802
>>>>>> Shorewall::Compiler::compiler("script", "", "directory", "",
>>>>> "verbosity", 1, "timestamp", 0, ...) called at
>>>>> /usr/share/shorewall/compiler.pl line 137
>>>>
>>>>> Creating the REDIRECT rules without using a macro produces the
>>>>> same result. Notably, my IPv4 installation of shorewall has no
>>>>> issue with the same rules.
>>>>
>>>>> Is there a difference in syntax between shorewall and
>>>>> shorewall6 for REDIRECT rules? I didn't see anything in the
>>>>> documentation specifying such.
>>>>
>>>>
>>>>
>>>> What is the output of the following two commands?
>>>>
>>>> shorewall show -f capabilities | fgrep CONNTRACK shorewall6 show
>>>> -f capabilities | fgrep CONNTRACK
>>>>
>>>> Also, which kernel version are you running?
>>>>
>>>> Thanks, -Tom
>>
>>> Here you go:
>>
>>>> wolferz@tiphares ~ $ sudo shorewall show -f capabilities | fgrep
>>>> CONNTRACK CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes
>>>> OLD_CONNTRACK_MATCH= wolferz@tiphares ~ $ sudo shorewall6 show -f
>>>> capabilities | fgrep
>>> CONNTRACK
>>>> CONNTRACK_MATCH=Yes NEW_CONNTRACK_MATCH=Yes OLD_CONNTRACK_MATCH=
>>>> wolferz@tiphares ~ $ uname -a Linux tiphares 5.5.5-arch1-1 #1 SMP
>>>> PREEMPT Thu, 20 Feb 2020 18:23:09
>>> +0000 x86_64 GNU/Linux
>>
>>
>> Okay -- the compiler is mis-detecting the OLD_CONNTRACK_MATCH
>> capability. You can work around this temporarily through using a
>> shorewall6 capabilities file (the CLI correctly detects the capability).
>>
>> I'll have a patch ready later today.
>
> Here is the patch:
>
> . /usr/share/shorewall/shorewallrc
> cd $PERLLIBDIR/Shorewall
> patch -p4 < path/to/OLD_CONNTRACK_MATCH.patch
> Here's the patch :-) -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
From 387b86175966d8c29ed6a4b411a2dcf44a3acd64 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teas...@shorewall.net>
Date: Tue, 25 Feb 2020 13:08:58 -0800
Subject: Correct handling of ORIGDEST with OLD_CONNTRACK_MATCH
- Also correct detection of OLD_CONNTRACK_MATCH in shorewall6
Signed-off-by: Tom Eastep <teas...@shorewall.net>
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 404554b45..4ddfcec11 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1143,16 +1143,30 @@ sub set_rule_option( $$$ ) {
#
# Consider each subtype as a separate type
#
- my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+ if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) {
+ my ( $subtype, $invert, $val, $rest ) = split ' ', $value;
- if ( $invert eq '!' ) {
- assert( ! supplied $rest );
- $option = join( ' ', $option, $invert, $subtype );
- $value = $val;
+ if ( $invert eq '!' ) {
+ assert( ! supplied $rest );
+ $option = join( ' ', $option, $subtype );
+ $value = join( ' ', $invert, $val );
+ } else {
+ assert( ! supplied $val );
+ $option = join( ' ', $invert , $option );
+ $value = $invert;
+ }
} else {
- assert( ! supplied $val );
- $option = join( ' ', $option, $invert );
- $value = $subtype;
+ my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+
+ if ( $invert eq '!' ) {
+ assert( ! supplied $rest );
+ $option = join( ' ', $option, $invert, $subtype );
+ $value = $val;
+ } else {
+ assert( ! supplied $val );
+ $option = join( ' ', $option, $invert );
+ $value = $subtype;
+ }
}
$opttype = EXCLUSIVE;
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 27d1ea4d0..d0b5280b7 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -4603,7 +4603,11 @@ sub New_Conntrack_Match() {
}
sub Old_Conntrack_Match() {
- ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+ if ( $family == F_IPV4 ) {
+ ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+ } else {
+ ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" );
+ }
}
sub Multiport() {
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
