August 19, 2019 5:50 PM, "J Cliff Armstrong via Shorewall-users" <shorewall-users@lists.sourceforge.net> wrote:
> August 19, 2019 4:47 PM, "Tom Eastep" <teas...@shorewall.net> wrote: > >> On 8/19/19 2:26 AM, J Cliff Armstrong via Shorewall-users wrote: >> >>> Running Arch Linux kernel 5.2.8-arch1-1-ARCH, Shorewall installed from Arch >>> community repo. >>> >>> I'm trying to configure the policy: >> >> lan wan NFQUEUE(0:1) >>> The goal being to utilize two instances of snort (for blocking outgoing >>> sensitive information, in >>> this case) running on separate cores and let netfilter balance connections >>> between them as per the >>> shorewall-policy manpage provided with the arch package and currently >>> available on shorewall.net. >>> "NFQUEUE" passes 'check'. "NFQUEUE(0)" passes 'check'. "NFQUEUE(0:1)" fails >>> 'check' with the error: >> >> Checking /etc/shorewall/policy... >> ERROR: Invalid policy (NFQUEUE(0) /etc/shorewall/policy (line 15) >>> Perhaps I'm misunderstanding the documented syntax? Additionally, is the >>> syntax really different >>> from the NFQUEUE action in the shorewall-rules? I'm hoping "no" but, of >>> course, the documentation >>> says it is. >> >> It's a bug. Patch attached. >> >> -Tom >> >> PS: I assume that your version is 5.2.3... There is no version 5.2.8. >> -- >> Tom Eastep \ Q: What do you get when you cross a mobster with >> Shoreline, \ an international standard? >> Washington, USA \ A: Someone who makes you an offer you can't >> http://shorewall.org \ understand >> \_______________________________________________ >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > Hey, thanks Tom. I appreciate it. I had just pulled the latest source from > git after actually > taking a look at the code in my local copy. My knowledge of Perl is 2 decades > out of date so I > wasn't sure if what I thought I saw was really there. > > Thanks again! > > Regards, > J Cliff Armstrong > > P.S. Correct. My Shorewall version is 5.2.3.3. My Kernel version is 5.2.8 > w/Arch distro patches > applied. Sorry if I was unclear. Next time(?) I'll put the version info for > Shorewall in the body > instead of the subject. > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users Hmm, looks like something similar is happening with macros (should this be a new thread?). With the following rules in `/etc/shorewall/rules`: > BitTorrent32(DNAT-) wan lan:10.5.1.1 > BitTorrent32(NFQUEUE(0:1c,bypass)) wan lan:10.5.1.1 I get the following when running `-v2 check`: > ..Expanding Macro /usr/share/shorewall/macro.BitTorrent... > ERROR: Invalid ACTION (PARAM:1c,bypass))) > /usr/share/shorewall/macro.BitTorrent (line 12) > from /etc/shorewall/rules (line 40) What I'm trying to do is create a DNAT rule using an explicit NFQUEUE instead of an implicit ACCEPT. The plan is to implement this as a custom action or macro to simplify the management of rules. Unfortunately, `trace compile` is pretty unhelpful in this case... ending without an error (and thus no line number for the problematic code). Else I'd have worked up a pull request with a fix. Trace attached. Regards, J Cliff Armstrong
shorewall_trace.gz
Description: GNU Zip compressed data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
