Broken iptables rules when using DIVERT with shorewall and linux-vanilla (linux-hardened is not affected)
Hi,
shorewall DIVERT rules don’t work anymore when going from linux-hardened to linux-vanilla (both edge)
- linux-vanilla-4.14.32-r0
- linux-hardened-4.9.73-r0
- shorewall-5.1.11.1-r0
- iptables-1.6.2-r0
Minimal shorewall config to reproduce the problem (don’t forget to enable shorewall in /etc/shorewall/shorewall.conf, too):
# cd /etc/shorewall
# cat interfaces
loc eth0
- lo -
# cat zones
fw firewall
loc ipv4
# cat policy
$FW loc ACCEPT
all all REJECT info
# cat providers
Tproxy 1 - - lo - tproxy
# cat mangle
DIVERT eth0 0.0.0.0/0 tcp - 80
# shorewall restart
...
Running /sbin/iptables-restore --wait 60...
iptables-restore: line 50 failed
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
Terminated
# sed -n 50p /var/lib/shorewall/.iptables-restore-input
COMMIT
The same config works fine with linux-hardened though.
See http://shorewall.org/Shorewall\_Squid\_Usage.html\#TPROXY
(from redmine: issue id 8778, created on 2018-04-09, closed on 2019-05-03)
- Changesets:
- Revision e12a6974 by Natanael Copa on 2018-04-23T18:53:11Z:
main/linux-vanilla: enable NF_SOCKET
fixes #8778