Shorewall 4.1.7 is now ready for testing:
http://www.shorewall.net/pub/shorewall/development/4.1/
ftp://ftp.shorewall.net/pub/shorewall/development/4.1/
Problems corrected in Shorewall 4.1.7.
1) Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall
would enable ip forwarding before instantiating the rules. This
could lead to incorrect connection tracking entries being created
between the time that forwarding was enabled and when the nat table
rules were instantiated.
Beginning with Shorewall 4.0.11 and 4.1.7, enabling of forwarding
is deferred until after the rules are in place.
Problems corrected in Shorewall-perl 4.1.7.
1) Perl run-time errors occurred if an unknown service was named in
the /etc/shorewall/tcfilters file.
2) Trailing columns containing ''-'' would outwit
Shorewall-perl''s
detection of ''too few columns'' errors.
3) ''shorewall start'' could fail with an error similar to the
following:
RTNETLINK answers: Invalid argument
We have an error talking to the kernel
ERROR: Command "tc filter add dev bond0.207 parent 1:0 protocol ip
pref 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16
0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:11" Failed
/sbin/shorewall: line 723: 755 Terminated
$SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
4) A POLICY of ":" in /etc/shorewall/policy would produce Perl
run-time errors.
5) An INTERFACE of ":" in /etc/shorewall/interfaces would produce
Perl
run-time errors.
6) A MARK of ":" in /etc/shorewall/tcrules would produce Perl
run-time errors.
7) If both the ESTABLISHED and RELATED sections were present then
each connection through chains controlled by a RATE/LIMIT in
/etc/shorewall/policies was counted twice toward the limit.
8) If DYNAMIC_ZONES=Yes and an entry in /etc/shorewall/hosts for an
IPv4 zone specified ''ipsec'', dynamic IPSEC zone members
were
mis-handled by the generated ruleset.
New Features in 4.1.7.
1) If an interface fails when using balanced multi-ISP routing, the
default route is lost. If there are remaining working interfaces
with dynamic gateway addresses, Shorewall will be unable to
determine those gateways.
Beginning with Shorewall (Shorewall-lite) 4.1.7, the
''init'' script
may participate in gateway detection by setting variables with
pre-determined names as follows:
<gw>_GATEWAY
where <gw> is the interface name:
- in upper case
- with any characters not allowed in shell variable names
replaced by ''_''.
Example (from OpenWRT):
Interface: eth0.1
Variable: ETH0_1_GATEWAY
/etc/shorewall/init:
ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway)
2) A new CONNBYTES column has been added to the tcrules file. The
column defines a byte or packet range that the connection must fall
within in order for the rule to match. The contents are:
[!]<min>:[<max>[:{O|R|B}[:{B|P|A}]]]
! matches if the the packet/byte count is not within the range
defined by <min> and <max>.
<min> is an integer which defines the beginning of the byte/packet
range.
<max> is an integer which defines the end of the byte/packet range.
If omitted, only the beginning of the range is checked.
The first letter gives the direction which the range refers to:
O - The original direction of the connection.
R - The opposite direction from the original connection.
B - The total of both directions.
If omitted, ''B'' is assumed.
The second letter determins what the range refers to.
B - Bytes
P - Packets
A - Average packet size.
If omitted, ''B'' is assumed.
Examples:
1000000: - Connection has transferred a total of
at least 1,000,000 bytes.
1000000::R - Connection has transferred at least
1,000,000 bytes in the direction opposite
of the original direction (typical of a
large download).
1000000::O:P - Connection has sent at least 1,000,000
packets in the direction of the original
connection.
3) A new MANGLE_ENABLED option is added to shorewall.conf. The default
setting is ''Yes'' which causes Shorewall to assume
responsibility for
the Netfilter mangle table.
When MANGLE_ENABLED is set to ''No'', Shorewall assumes no
responsibility for that table. In this setting:
a) Shorewall doesn''t alter the mangle table.
b) You may not use Shorewall Traffic Shaping (TC_ENABLED must be
set to ''No''.
c) The tcrules file is ignored.
d) The providers file must be empty.
e) All entries in tcdevices must specify the ''classify''
option and
traffic classification may only occur using the tcfilters file.
This allows for another application running on your firewall to
take over the mangle table and use it for it''s own purposes.
4) Shorewall-perl now supports an ORIGINAL DEST column in macro files.
The column must be left empty if the macro is to be used in the
body of an action.
The new column is placed between the SOURCE PORT(S) and RATE LIMIT
columns. So that Shorewall-perl can determine which column layout
each macro has, a new FORMAT directive is added:
FORMAT {1|2}
The default is FORMAT 1 which is the old format. FORMAT 2 specifies
that the macro is in the new format.
5) Shorewall-perl implements a new Rfc1918 macro that deals with
RFC 1918 addresses. This macro should be used in place of
the ''norfc1918'' interface option which is deprecated.
The macro body is:
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT(S) PORT(S)
DEST LIMIT GROUP
FORMAT 2
PARAM SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
The ''norfc1918'' option on the interface associated with
zone ''z''
and with RFC1018_STRICT=Yes is equivalent to:
Rfc1918(DROP) z all
6) A better way to perform RFC 1918 filtration is to null-route the
address ranges reserved by RFC 1918. You can do that by setting the
new NULL_ROUTE_RFC1918 option to ''Yes'' in shorewall.conf.
It is highly recommended that you also set ROUTE_FILTER=Yes to get
Martian messages. These will help diagnose problems where you need
to be able to access hosts with RFC 1918 addresses that are outside
of your local networks. Sometimes, these can be subtle such as the
case where your ISP is using RFC 1918 addresses on their DHCP
servers.
NULL_ROUTE_RFC1918 defaults to ''No'' and is only supported
by
Shorewall-perl; Shorewall-shell ignores the option.
7) There is now a macro.SANE which supports network-attached
scanners. Shorewall now automatically loads the sane connection
tracking helper module.
Thanks for this feature go to Tuomo Soini.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don''t miss this year''s exciting event. There''s still
time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Environment: Debian Etch, kernel 2.6.25, iptables 1.4.0, and iptables (xtables) 1.5.3 ############################################## The following tcrules entry: : - 2.2.2.2 produces the following messages: Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Tc.pm line 82, <$currentfile> line 38. Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Tc.pm line 88, <$currentfile> line 38. Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Tc.pm line 94, <$currentfile> line 38. Use of uninitialized value in pattern match (m//) at /usr/share/shorewall-perl/Shorewall/Tc.pm line 100, <$currentfile> line 38. Use of uninitialized value in pattern match (m//) at /usr/share/shorewall-perl/Shorewall/Tc.pm line 104, <$currentfile> line 38. ############################################## The following tcrules entry: : - 2.2.2.2 - - - - - - - 0:1000 produces the following message: Argument "" isn''t numeric in numeric gt (>) at /usr/share/shorewall-perl/Shorewall/Chains.pm line 1330, <$currentfile> line 39. ############################################## The following tcrules entry: : - 2.2.2.2 - - - - - - - 10:1000 generates iptables rule: -A tcpost -m connbytes 10:1000 --connbytes-dir both --connbytes-mode bytes -d 2.2.2.2 -j CONNMARK --set-mark 32/0xFF which produces message: Bad argument ''10:1000'' ############################################## The following rules entry: ACCEPT lan $FW - - - - - - /:C generates iptables rule: -A lan2fw -m connmark --mark / -j ACCEPT which is accepted by iptables 1.4.0 however, iptables 1.5.3 produces the following message: iptables-restore v1.5.3: connmark: Bad value for "--mark" option: "/" ############################################## Specifying NULL_ROUTE_RFC1918=Yes adds the following routes: unreachable 192.168.0.0/16 unreachable 172.16.0.0/12 unreachable 10.0.0.0/8 However, neither issuing a ''shorewall clear'' nor specifying NULL_ROUTE_RFC1918=No and restarting Shorewall removes these routes. Is this expected? ############################################## Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom This is a correction to the previous email, which contained a couple of typing errors in the second and third problems. Environment: Debian Etch, kernel 2.6.25, iptables 1.4.0, and iptables (xtables) 1.5.3 ############################################## The following tcrules entry: : - 2.2.2.2 produces the following messages: Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Tc.pm line 82, <$currentfile> line 38. Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Tc.pm line 88, <$currentfile> line 38. Use of uninitialized value in string eq at /usr/share/shorewall-perl/Shorewall/Tc.pm line 94, <$currentfile> line 38. Use of uninitialized value in pattern match (m//) at /usr/share/shorewall-perl/Shorewall/Tc.pm line 100, <$currentfile> line 38. Use of uninitialized value in pattern match (m//) at /usr/share/shorewall-perl/Shorewall/Tc.pm line 104, <$currentfile> line 38. ############################################## The following tcrules entry: 32:CT - 2.2.2.2 - - - - - - - 0:1000 produces the following message: Argument "" isn''t numeric in numeric gt (>) at /usr/share/shorewall-perl/Shorewall/Chains.pm line 1330, <$currentfile> line 39. ############################################## The following tcrules entry: 32:CT - 2.2.2.2 - - - - - - - 10:1000 generates iptables rule: -A tcpost -m connbytes 10:1000 --connbytes-dir both --connbytes-mode bytes -d 2.2.2.2 -j CONNMARK --set-mark 32/0xFF which produces message: Bad argument ''10:1000'' ############################################## The following rules entry: ACCEPT lan $FW - - - - - - /:C generates iptables rule: -A lan2fw -m connmark --mark / -j ACCEPT which is accepted by iptables 1.4.0 however, iptables 1.5.3 produces the following message: iptables-restore v1.5.3: connmark: Bad value for "--mark" option: "/" ############################################## Specifying NULL_ROUTE_RFC1918=Yes adds the following routes: unreachable 192.168.0.0/16 unreachable 172.16.0.0/12 unreachable 10.0.0.0/8 However, neither issuing a ''shorewall clear'' nor specifying NULL_ROUTE_RFC1918=No and restarting Shorewall removes these routes. Is this expected? ############################################## Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> > Specifying NULL_ROUTE_RFC1918=Yes adds the following routes: > > unreachable 192.168.0.0/16 > unreachable 172.16.0.0/12 > unreachable 10.0.0.0/8 > > However, neither issuing a ''shorewall clear'' nor specifying > NULL_ROUTE_RFC1918=No and restarting Shorewall removes these routes. > Is this expected?Attached are patches for all of your problems except this one (apply them in order). I don''t know what to do about this one so I''ll have to think about it. Simple Yes/No options usually result in a change to the system configuration during "shorewall start" if the setting is ''Yes''. But what should they do during "shorewall stop" or "shorewall clear" or during "shorewall restart" if the setting is changed to ''No''? a) Nothing -- the current approach. b) Invert the setting? If so, what setting? The one in the current config files or the one in the conf files during the last start/restart? c) Restore the setting to what it was when Shorewall was started 4 months ago (assuming that nothing but ''restarts'' have been done since then)? You get the idea. I really don''t want to implement some sort of database that tries to keep track of settings to restore at stop/clear and to keep track of changing settings; if that is a requirement, I''ll retire from maintaining Shorewall and someone younger who hasn''t spent the last 40 years solving those sorts of problems can take over. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> > But what should they do during "shorewall stop" or "shorewall clear" or > during "shorewall restart" if the setting is changed to ''No''? > > a) Nothing -- the current approach. > b) Invert the setting? If so, what setting? The one in the current > config files or the one in the conf files during the last start/restart? > c) Restore the setting to what it was when Shorewall was started 4 > months ago (assuming that nothing but ''restarts'' have been done since > then)? > > You get the idea.Duh -- I am an idiot. I should have waited until this morning to reply to this problem as I woke up with the realization that I already have a mechanism for backing out routing changes during stop/restart. I''ll fix the bug later today. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep wrote:> > Duh -- I am an idiot. I should have waited until this morning to reply > to this problem as I woke up with the realization that I already have a > mechanism for backing out routing changes during stop/restart. I''ll fix > the bug later today. >The patch turned out to be more extensive that I had hoped. Please find it attached. Thanks again, Steven. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom More absurdity... If tcclasses contains a divide by 0 in the RATE or CEIL columns, e.g. eth0:10 - full/0 full*2 then the following message is produced: Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Tc.pm line 409, <$currentfile> line 13. ############################################## ...and complete stupidity... Again in tcclasses RATE or CEIL columns: eth0:10 - 3*full full*fill produces messages: Operator or semicolon missing before *fill at (eval 19) line 1, <$currentfile> line 13. Ambiguous use of * resolved as operator * at (eval 19) line 1, <$currentfile> line 13. Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall-perl/Shorewall/Tc.pm line 409, <$currentfile> line 13. ############################################## Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> Tom > > More absurdity... > > If tcclasses contains a divide by 0 in the RATE or CEIL columns, e.g. > > eth0:10 - full/0 full*2 > > then the following message is produced: > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/Shorewall/Tc.pm line 409, <$currentfile> line > 13.Patch attached.> > ############################################## > > ...and complete stupidity... > > Again in tcclasses RATE or CEIL columns: > > eth0:10 - 3*full full*fill > > produces messages: > > Operator or semicolon missing before *fill at (eval 19) line 1, <$currentfile> > line 13. > > Ambiguous use of * resolved as operator * at (eval 19) line 1, <$currentfile> > line 13. > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/Shorewall/Tc.pm line 409, <$currentfile> line > 13.The attached patch eliminates the unitialized value error. The compiler uses Perl itself to parse and evaluate arithmetic expressions in the the tcclasses file; if there are syntax errors in those expressions, Perl is going to complain about them. So far, my Perl foo isn''t strong enough to suppress the messages but I''ll try some more. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> > ...and complete stupidity... > > Again in tcclasses RATE or CEIL columns: > > eth0:10 - 3*full full*fill > > produces messages: > > Operator or semicolon missing before *fill at (eval 19) line 1, <$currentfile> > line 13. > > Ambiguous use of * resolved as operator * at (eval 19) line 1, <$currentfile> > line 13. > > Use of uninitialized value in concatenation (.) or string > at /usr/share/shorewall-perl/Shorewall/Tc.pm line 409, <$currentfile> line > 13.Steven, The patch in commit 8447 seems to quite down the reaction to silly arithmetic expressions in /etc/shorewall/classes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Sunday 20 April 2008 02:49, Tom Eastep wrote:> The patch in commit 8447 seems to quite down the reaction to silly > arithmetic expressions in /etc/shorewall/classes. > > -TomTom The rate full--2 is not caught by the patch. It produces the following message: Number found where operator expected at (eval 18) line 1, near "--2" (Missing operator before 2?) I have been testing the attached patch which suppresses all messages from the eval statement. ################################################## Shorewall checks for a negative value in the RATE column, but not in the CEIL column. Is this expected? e.g. full*-1 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> > I have been testing the attached patch which suppresses all messages from the > eval statement.Thanks, Steven.> > ################################################## > > Shorewall checks for a negative value in the RATE column, but not in the CEIL > column. Is this expected? e.g. full*-1I''d already added a check for rate < ceil (it wasn''t checked in yet) which should catch that. Please try #8463. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Sunday 20 April 2008 15:36, Tom Eastep wrote:> > I''d already added a check for rate < ceil (it wasn''t checked in yet) which > should catch that. > > Please try #8463. > > Thanks, > -TomTom I now get the following message: Argument "384kbit" isn''t numeric in numeric gt (>) at /usr/share/shorewall-perl/Shorewall/Tc.pm line 504, <$currentfile> line 14. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> Tom > > I now get the following message: > > Argument "384kbit" isn''t numeric in numeric gt (>) > at /usr/share/shorewall-perl/Shorewall/Tc.pm line 504, <$currentfile> line > 14.With what input? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Sunday 20 April 2008 16:12, Tom Eastep wrote:> Steven Jan Springl wrote: > > Tom > > > > I now get the following message: > > > > Argument "384kbit" isn''t numeric in numeric gt (>) > > at /usr/share/shorewall-perl/Shorewall/Tc.pm line 504, <$currentfile> > > line 14. > > With what input? > > -Tometh0:10 - full-2 full-2 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> > > eth0:10 - full-2 full-2#8464 should fix it (passes my regressing tests) Sorry for the ersatz patch... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Sunday 20 April 2008 16:20, Tom Eastep wrote:> Steven Jan Springl wrote: > > eth0:10 - full-2 full-2 > > #8464 should fix it (passes my regressing tests) > > Sorry for the ersatz patch... > > -TomTom The patch passes my tests too. However I found a couple of other issues. A RATE of 0 e.g. eth0:10 - 0 1000 0 produces the following messages: "rate" is required. ERROR: Command "tc class add dev eth0 parent 1:1 classid 1:11 htb rate 0kbit ceil 8kbit prio 0 mtu 1592 quantum 1492" Failed ############################################# A unit of bps (from the tcclasses manual page) e.g. eth0:10 - 1000bps 1000 0 produces the following message: ERROR: Invalid Rate (1000bps) : /etc/shorewall/tcclasses (line 14) Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> > "rate" is required. > ERROR: Command "tc class add dev eth0 parent 1:1 classid 1:11 htb rate > 0kbit ceil 8kbit prio 0 mtu 1592 quantum 1492" Failed >> > ERROR: Invalid Rate (1000bps) : /etc/shorewall/tcclasses (line 14) >#8465 fixes these. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
On Sunday 20 April 2008 18:00, Tom Eastep wrote: Tom All seems to be okay now with the RATE CEIL columns. ################################# I have found that incorrectly coded mac addresses in Shorewall config files results in iptables-restore errors. Would you like me to investigate this further and report my findings? Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> All seems to be okay now with the RATE CEIL columns.Good -- thanks.> ################################# > > I have found that incorrectly coded mac addresses in Shorewall config files > results in iptables-restore errors. Would you like me to investigate this > further and report my findings?Can you give me an example? Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom All the entries in the attached maclist file prodcues messages like: iptables-restore v1.5.3: Bad mac address `11:01:02:03:04:01:00'' Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> Tom > > All the entries in the attached maclist file prodcues messages like: > > iptables-restore v1.5.3: Bad mac address `11:01:02:03:04:01:00''Here''s a fix. Thanks again, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Any upper case characters (G thru Z) in a maclist entry pass the validation and fail during iptable-restore. e.g. ACCEPT br0 XX:XX:XX:XX:XX:XX 1.1.1.1 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> Tom > > Any upper case characters (G thru Z) in a maclist entry pass the validation > and fail during iptable-restore. e.g. > > ACCEPT br0 XX:XX:XX:XX:XX:XX 1.1.1.1Silly typo in the regular expression. Fixed in #8468. Thanks, Steven -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom The following maclist entry does not produce an error: ACCEPT br0 0 1.1.1.1 ################################# Incorrectly formated mac addresses in other config files also result in iptables-restore errors. In the accounting file: sjsx - eth1:~11-11-11-11-11-1 eth2 In the blacklist file: ~11-11-11-11-11-1 - In the rules file: ACCEPT dmz:eth2:!~11-11-11-11-11-1 all - In the tcrules file: SAVE br1:!~11-11-11-11-11-1 br0 2 In the tos file: ~11-11-11-11-11-1 eth2 all - - 16 Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Steven Jan Springl wrote:> Tom > > The following maclist entry does not produce an error: > > ACCEPT br0 0 1.1.1.1 > > ################################# > > Incorrectly formated mac addresses in other config files also result in > iptables-restore errors.The attached patch uses the correct ''mac_match()'' function for all MAC address processing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom For the following masq file entry: br1 br0 1 Shorewall correctly generates message: Error: Invalid IP Address (1) : ..... However, for the following masq file entry: br1 br0 0 Shorewall generates the following iptables rule: -A br1_masq -m policy --pol none --dir out -s 10.1.0.0/16 -j MASQUERADE --to-ports 0 which produces the following error: iptables-restore v1.5.3: Need TCP or UDP with port specification ############################################ Following on from that, for masq file entry: br1 br0 1.1.1.1:20 Shorewall generates the following iptables rule: -A br1_masq -m policy --pol none --dir out -s 10.1.0.0/16 -j SNAT --to-source 1.1.1.1:20 which also produces the following error message: iptables-restore v1.5.3: Need TCP or UDP with port specification ############################################ Finally, for masq file entry: br1 br0 :20 Shorewall generates the following iptables rule: -A br1_masq -m policy --pol none --dir out -s 10.1.0.0/16 -j MASQUERADE --to-ports 20 which again produces the following error message: iptables-restore v1.5.3: Need TCP or UDP with port specification Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone