One of the Shorewall Beta testers just installed iptables 1.4.11 and is seeing a couple of anomalies. Before I run off and change Shorewall, I would like to confirm that these are intentional changes in iptables behavior and not bugs: -------- Original Message -------- Subject: Re: [Shorewall-devel] Shorewall 4.4.20 Beta 5 Date: Sun, 29 May 2011 15:01:09 +0100 From: Steven Jan Springl <steven@xxxxxxxxxxxxxxxxx> Reply-To: shorewall-devel@xxxxxxxxxxxxxxxxxxxxx To: shorewall-devel@xxxxxxxxxxxxxxxxxxxxx Using kernel 2.6.39, iptables 1.4.10 and xtables-addons 1.35 The following rules file entry: ACCEPT $FW lan tcp 22 - - - !root:root produces the following iptables rule: -A fw2lan -p 6 --dport 22 -m owner ! --uid-owner root ! --gid-owner root -j ACCEPT Which works. After upgrading iptables to 1.4.11 the following iptables-restore error is produced: iptables-restore v1.4.11: owner: option "--uid-owner" cannot be inverted. The following tcrules file entry: IPMARK(dst,-1,-64) $FW eth1 tcp 888 produces the following iptables rule: -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr dst --and-mask -1 --or-mask -64 --shift 0 Which works. After upgrading to iptables 1.4.11 the following iptables-restore error is produced: iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option: "-1" --------------------------------- Thanks, -Tom
Attachment:
signature.asc
Description: OpenPGP digital signature