command order. Unrecognized keyword

Question

command order. Unrecognized keyword

dutsky opened this issue 7 years ago · 2 comments

I have issues with mangle ipsec command order
https://pastebin.com/hbnX1sJX

How i do it with iptables:
sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.10/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

How I trying to do it with ferm:

table mangle {
    chain FORWARD {
        # adjust MSS
        mod policy pol ipsec dir in saddr $PEER outerface eth0 proto tcp tcp-flags (SYN RST) SYN mod tcpmss mss 1361:1536 TCPMSS set-mss 1360;
    }
}

An error:

Error in /etc/ferm/ferm.conf line 46:
table mangle
{
    chain FORWARD
    {
        mod policy pol ipsec dir in saddr $ PEER outerface eth0 proto tcp tcp-flags <--
Unrecognized keyword: tcp-flags

Am I doing something wrong?

Thanks!

Answer 1 · 2018-10-26T16:51:32.000Z

The problem here is a keyword conflict between the iptables core and the iptables ipsec extension. The ipsec extension defines an option named proto, while proto was previously the ferm keyword which maps to --protocol. But you can use protocol tcp instead of proto tcp. Or just put the proto tcp first; internally, iptables will reorder the check anyway.

Answer 2 · 2018-10-26T16:57:11.000Z

From the manual: "Note that the keyword proto is also used as a shorthand version of protocol (built-in match module). You can fix this conflict by always using the long keyword protocol."