From: J. R. O. <jro...@gh...> - 2011-06-30 02:26:19
|
Well, I suppose while you're looking forward to 4.4.21 and working on parsing problems anyway (with reference to the TPROXY), I should get around to writing up the problem I found. In the masq file, the man page says that you can add an outgoing port range to use, as ":xxx-yyy" appended to the ADDRESS field. But when I try using this, I get: ERROR: The separator for a port range is ':', not '-' (49152-61000) : /etc/shorewall/masq (line 15) And if I use the colon instead.... ERROR: The separator for a port range is ':', not '-' (49152-61000) : /etc/shorewall/masq (line 15) So I took a peek at the code, and I see that in Nat.pm, at line 210 (oh, this is 4.4.17 I'm using, from the Fedora 14-15 RPM), after stripping off any leading colons, it substitutes a dash for a colon, I suppose in case someone tried to use a colon anyway. Which is fine, since the iptables syntax does demand a hyphen, not a colon, like most port ranges. But then, it sends the output of that substitution to validate_portpair, defined in IPAddrs.pm, which expects a colon. So of course, no matter which separator you used in the file, it's a hyphen at that point, and generates an error. I suppose the main options for fixing would be to either first substitute colon for hyphen, then validate_portpair, then substitute hyphen for colon before generating the iptables line; or, make another function, something like validate_masq_portpair, which does expect hyphens, and run it through that instead. In the meantime, I've fixed it up for my own personal use by just commenting out the validate_portpair in Nat.pm, and make damn sure I remember to use a hyphen there. But a real fix would be nice. :) -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://prml.sourceforge.net/ |