Discussion:
[Shorewall-users] ipset in tcfilters error
Hesham Ahmed
2017-07-23 16:53:57 UTC
Permalink
I tried to use ipsets in tcfilters (after enabling BASIC_FILTERS in
shorewall.conf). "shorewall check" gave no errors but starting shorewall
failed with the error below. Shorewall version is 5.1.5

Adding Providers...
Setting up Traffic Control...
cmp: invalid mask
... cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask ffff eq
0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 >>)<< ...
... cmp(u16 at 0 layer 2 mask >>ffff<< eq 0x0016)...
Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE)
where: ALIGN := { u8 | u16 | u32 }
ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
LAYER := { link | network | transport | 0..2 }

Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20)
Illegal "ematch"
ERROR: Command "tc filter add dev ifb0 protocol ip parent 3:0 prio 1
basic match cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask
ffff eq 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 ) flowid
3:110" Failed
Tom Eastep
2017-07-23 18:40:48 UTC
Permalink
Post by Hesham Ahmed
I tried to use ipsets in tcfilters (after enabling BASIC_FILTERS in
shorewall.conf). "shorewall check" gave no errors but starting shorewall
failed with the error below. Shorewall version is 5.1.5
Adding Providers...
Setting up Traffic Control...
cmp: invalid mask
... cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask ffff eq
0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 >>)<< ...
... cmp(u16 at 0 layer 2 mask >>ffff<< eq 0x0016)...
Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE)
where: ALIGN := { u8 | u16 | u32 }
ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
LAYER := { link | network | transport | 0..2 }
Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20)
Illegal "ematch"
ERROR: Command "tc filter add dev ifb0 protocol ip parent 3:0 prio 1
basic match cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask
ffff eq 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 )
flowid 3:110" Failed
It would certainly make this a lot easier to analyze if you would send
me (privately) a tarball of your configuration.

Thanks,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Tom Eastep
2017-07-23 19:04:40 UTC
Permalink
Post by Tom Eastep
Post by Hesham Ahmed
I tried to use ipsets in tcfilters (after enabling BASIC_FILTERS in
shorewall.conf). "shorewall check" gave no errors but starting shorewall
failed with the error below. Shorewall version is 5.1.5
Adding Providers...
Setting up Traffic Control...
cmp: invalid mask
... cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask ffff eq
0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 >>)<< ...
... cmp(u16 at 0 layer 2 mask >>ffff<< eq 0x0016)...
Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE)
where: ALIGN := { u8 | u16 | u32 }
ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
LAYER := { link | network | transport | 0..2 }
Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20)
Illegal "ematch"
ERROR: Command "tc filter add dev ifb0 protocol ip parent 3:0 prio 1
basic match cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask
ffff eq 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 )
flowid 3:110" Failed
It would certainly make this a lot easier to analyze if you would send
me (privately) a tarball of your configuration.
Although, I suspect that the attached patch may eliminate the problem.

. /usr/share/shorewall/shorewallrc
patch $PERLLIBDIR/Shorewall/Tc.pm < TCFILTER_SPORT.patch

-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Hesham Ahmed
2017-07-24 06:23:38 UTC
Permalink
Thanks Tom, I will try the patch and update you.
Post by Tom Eastep
Post by Tom Eastep
Post by Hesham Ahmed
I tried to use ipsets in tcfilters (after enabling BASIC_FILTERS in
shorewall.conf). "shorewall check" gave no errors but starting shorewall
failed with the error below. Shorewall version is 5.1.5
Adding Providers...
Setting up Traffic Control...
cmp: invalid mask
... cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask ffff eq
0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 >>)<< ...
... cmp(u16 at 0 layer 2 mask >>ffff<< eq 0x0016)...
Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE)
where: ALIGN := { u8 | u16 | u32 }
ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
LAYER := { link | network | transport | 0..2 }
Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20)
Illegal "ematch"
ERROR: Command "tc filter add dev ifb0 protocol ip parent 3:0 prio 1
basic match cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask
ffff eq 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 )
flowid 3:110" Failed
It would certainly make this a lot easier to analyze if you would send
me (privately) a tarball of your configuration.
Although, I suspect that the attached patch may eliminate the problem.
. /usr/share/shorewall/shorewallrc
patch $PERLLIBDIR/Shorewall/Tc.pm < TCFILTER_SPORT.patch
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Hesham Ahmed
2017-07-24 06:32:52 UTC
Permalink
The patch does eliminate the problem. Thanks again
Post by Hesham Ahmed
Thanks Tom, I will try the patch and update you.
Post by Hesham Ahmed
Post by Tom Eastep
Post by Hesham Ahmed
I tried to use ipsets in tcfilters (after enabling BASIC_FILTERS in
shorewall.conf). "shorewall check" gave no errors but starting
shorewall
Post by Tom Eastep
Post by Hesham Ahmed
failed with the error below. Shorewall version is 5.1.5
Adding Providers...
Setting up Traffic Control...
cmp: invalid mask
... cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2 mask ffff
eq
Post by Tom Eastep
Post by Hesham Ahmed
0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 >>)<< ...
... cmp(u16 at 0 layer 2 mask >>ffff<< eq 0x0016)...
Usage: cmp(ALIGN at OFFSET [ ATTRS ] { eq | lt | gt } VALUE)
where: ALIGN := { u8 | u16 | u32 }
ATTRS := [ layer LAYER ] [ mask MASK ] [ trans ]
LAYER := { link | network | transport | 0..2 }
Example: cmp(u16 at 3 layer 2 mask 0xff00 gt 20)
Illegal "ematch"
ERROR: Command "tc filter add dev ifb0 protocol ip parent 3:0 prio 1
basic match cmp( u8 at 6 mask 0xff eq 6 ) and cmp( u16 at 0 layer 2
mask
Post by Tom Eastep
Post by Hesham Ahmed
ffff eq 0x0016 ) and cmp( u32 at 16 mask 0xffff0000 eq 0x0a000000 )
flowid 3:110" Failed
It would certainly make this a lot easier to analyze if you would send
me (privately) a tarball of your configuration.
Although, I suspect that the attached patch may eliminate the problem.
. /usr/share/shorewall/shorewallrc
patch $PERLLIBDIR/Shorewall/Tc.pm < TCFILTER_SPORT.patch
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Loading...