[Firehol-support] text "ERROR" shown by "fireqos status" for first class in class group

Phineas Gage phineas919 at gmail.com
Fri Apr 24 13:06:29 BST 2015 

Hi Phil, I tried the build and saw the fireqos status ERROR fix I made in there, and it passes the smoke test (we still have Internet), but I still get warnings in the syslog about xt_physdev:

Apr 24 13:46:46 FireHOL[6628]: Activating new firewall from /etc/firehol/firehol.conf (translated to 349 iptables rules).
Apr 24 13:46:55 kernel: [551947.644654] xt_physdev: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for
 non-bridged traffic is not supported anymore.
[repeated 1004 times]

The only two places I use physin and physout are in my router46 commands, like this:

router46 lan2int inface br0 outface br0 physin eth0 physout eth1
    route dhcp accept
    route6 "ipv6neigh ipv6router ipv6error" accept
    route all accept

router46 int2lan inface br0 outface br0 physin eth1 physout eth0
    route dhcp accept
    route6 "ipv6neigh ipv6router ipv6error" accept
    route6 ping accept
    route4 all accept src ${schooling_net} dst ${laserjet_ip}

Just a shot in the dark, but does it have anything to do with using router46 instead of router?

Phineas

> On Apr 24, 2015, at 7:57 AM, Phil Whineray <phil at sanewall.org> wrote:
> 
> On Thu, Apr 23, 2015 at 09:11:11AM +0200, Phineas Gage wrote:
>> I started trying to digest your bridging documentation but that’s going to
>> take more time, so I’ll give it another go later. I see it’s rather
>> complicated, so that suggests that even though the bridge config I have
>> is working, there may be some surprises in behavior I’m not aware of,
>> so look forward to getting my head around it.
> 
> If you are using physin/physout on pairs of ports within a single
> bridge everything should just work and the flags added to silence
> the syslog warnings are not a problem.
> 
> If you use them on any other combination of network devices then
> I believe the new flags instruct netfilter to drop the packets
> before the physout match is done, which is why the warning is no
> longer emitted. It also means nothing matches even if it seems it
> should based on the values in the config.
> 
> What I didn't check (but will this weekend) is whether when the original
> syslog warning flag is emitted, the check is ignored (similar to my
> proposal) or whether physout just never matches (same behaviour as
> new flags).

More information about the Firehol-support mailing list