Shorewall devel - Sep 2010 - Shorewall 4.4.13 Beta 4

Beta 4 is now available for testing.

Problems Corrected:

None.

New Features:

1)  Shorewall now supports the SECMARK and CONNSECMARK targets for
    manipulating the SELinux context of packets.

    See the shorewall-secmarks and shorewall6-secmarks manpages for
    details.

    As part of this change, the tcrules file now accepts chain
    designators ''I'' and ''CI'' for marking
packets in the input chain.

2)  The ''blacklist'' interface option may now have one of 2
values:

    1 - Inbound blacklisting
    2 - Outbond blacklisting

    Inbound blacklisting is targeted for use on Internet-facing
    interfaces. Incoming packets are passed against the blacklist
    entries with the ''from'' option (either explicitly or
defaulted).
    Traffic originating on the firewall is passed against the blacklist
    entries with the ''to'' option.

    Outbound blacklisting is targeted for use on internal
    interfaces. Packets arriving on these interfaces is passed against
    the blacklist entries with the ''to'' option.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

Tom

When secmarks contains:

SAVE  F:N  eth0:!192.168.51.51,192.168.51.52

the following messages are produced:

Use of uninitialized value $restriction in bitwise and (&) 
at /usr/share/shorewall/Shorewall/Chains.pm line 3256, <$currentfile> line
12.
Use of uninitialized value $restriction in bitwise and (&) 
at /usr/share/shorewall/Shorewall/Chains.pm line 3272, <$currentfile> line
12.
Use of uninitialized value $restriction in bitwise and (&) 
at /usr/share/shorewall/Shorewall/Chains.pm line 3441, <$currentfile> line
12.
Use of uninitialized value $restriction in numeric eq (==) 
at /usr/share/shorewall/Shorewall/Chains.pm line 3483, <$currentfile> line
12.
Use of uninitialized value $restriction in numeric eq (==) 
at /usr/share/shorewall/Shorewall/Chains.pm line 3484, <$currentfile> line
12.

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/10/10 4:31 PM, Steven Jan Springl wrote:
> When secmarks contains:
> 
> SAVE  F:N  eth0:!192.168.51.51,192.168.51.52
> 
> the following messages are produced:
> 
> Use of uninitialized value $restriction in bitwise and (&) 
> at /usr/share/shorewall/Shorewall/Chains.pm line 3256, <$currentfile>
line
> 12.

Please try 99f8f84024459ed73b5f32d2d932eee1d9dec661.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Saturday 11 September 2010 00:47:08 Tom Eastep wrote:
> On 9/10/10 4:31 PM, Steven Jan Springl wrote:
> > When secmarks contains:
> >
> > SAVE  F:N  eth0:!192.168.51.51,192.168.51.52
> >
> > the following messages are produced:
> >
> > Use of uninitialized value $restriction in bitwise and (&)
> > at /usr/share/shorewall/Shorewall/Chains.pm line 3256,
<$currentfile>
> > line 12.
>
> Please try 99f8f84024459ed73b5f32d2d932eee1d9dec661.
>
> Thanks,
> -Tom
Tom

That''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

Possible bug, though I do not know whether it is Shorewall- or 
ipset-related.

The following statement in my rules file used to work with the previous 
version of Shorewall (again, I don''t remember whether the ipset version
has also changed since the last built):

ACCEPT $FW:+vpn-local-port net:+vpn-ec2-hosts[dst,dst] udp

vpn-local-port is a standard portmap-type set. vpn-ec2-hosts, however, 
is ipporthash (IP:Port combination). The above statement translates to 
the following line in my fw2net chain:

0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0           match-set vpn-local-port src match-set vpn-ec2-hosts dst

I am not sure whether I''ve had the "dst" bit twice (i.e.
"dst,dst") with
the second match-set with the previous version of Shorewall/ipset, but 
the above definitely does NOT work and I am now getting DROP alarms, 
which isn''t right!

My ipset version is 4.2.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 6:32 AM, Mr Dash Four wrote:
> Possible bug, though I do not know whether it is Shorewall- or 
> ipset-related.
> 
> The following statement in my rules file used to work with the previous 
> version of Shorewall (again, I don''t remember whether the ipset
version
> has also changed since the last built):
> 
> ACCEPT $FW:+vpn-local-port net:+vpn-ec2-hosts[dst,dst] udp
The alternative syntax "+vpn-ec2-hosts[2]" generates the correct
iptables-restore input. I''ll fix handling of the above for RC1.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

Tom

tcrules entry:

SAME:P  192.168.120.0/24  0.0.0.0

produces the following messages:

iptables v1.4.9.1: Cannot use -A with -A

ERROR: Command "/usr/local/sbin/iptables -A setsticky -A -s 
192.168.120.0/24 -d 0.0.0.0 -m mark --mark 0x1/0xff -m recent --name 
sticky001 --set" Failed

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

> The alternative syntax "+vpn-ec2-hosts[2]" generates the correct
> iptables-restore input. I''ll fix handling of the above for RC1.
>   
It did the trick indeed. Thanks!

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 7:40 AM, Steven Jan Springl wrote:
> tcrules entry:
> 
> SAME:P  192.168.120.0/24  0.0.0.0
> 
> produces the following messages:
> 
> iptables v1.4.9.1: Cannot use -A with -A
> 
> ERROR: Command "/usr/local/sbin/iptables -A setsticky -A -s 
> 192.168.120.0/24 -d 0.0.0.0 -m mark --mark 0x1/0xff -m recent --name 
> sticky001 --set" Failed
Steven,

Commit dbc9f6ac8fa164a157239401af87fbf51f29ecd2 corrects this problem.
The fix was only 5 lines but it took me quite a while to locate the
proper 5 lines :-)

Thanks!
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 9:06 AM, Tom Eastep wrote:
> On 9/11/10 7:40 AM, Steven Jan Springl wrote:
> 
>> tcrules entry:
>>
>> SAME:P  192.168.120.0/24  0.0.0.0
>>
>> produces the following messages:
>>
>> iptables v1.4.9.1: Cannot use -A with -A
>>
>> ERROR: Command "/usr/local/sbin/iptables -A setsticky -A -s 
>> 192.168.120.0/24 -d 0.0.0.0 -m mark --mark 0x1/0xff -m recent --name 
>> sticky001 --set" Failed
> 
> Steven,
> 
> Commit dbc9f6ac8fa164a157239401af87fbf51f29ecd2 corrects this problem.
> The fix was only 5 lines but it took me quite a while to locate the
> proper 5 lines :-)
There were actually two defects. The first is the one you found. After I
corrected that one, then OPTIMIZE=15 generated invalid iptables input.

I just corrected the case where SAME is used with SOURCE $FW; that''s
commit 367fc041b8b34deb60bc6bdd821a9de5333f2c06.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Saturday 11 September 2010 17:06:34 Tom Eastep wrote:
> On 9/11/10 7:40 AM, Steven Jan Springl wrote:
> > tcrules entry:
> >
> > SAME:P  192.168.120.0/24  0.0.0.0
> >
> > produces the following messages:
> >
> > iptables v1.4.9.1: Cannot use -A with -A
> >
> > ERROR: Command "/usr/local/sbin/iptables -A setsticky -A -s
> > 192.168.120.0/24 -d 0.0.0.0 -m mark --mark 0x1/0xff -m recent --name
> > sticky001 --set" Failed
>
> Steven,
>
> Commit dbc9f6ac8fa164a157239401af87fbf51f29ecd2 corrects this problem.
> The fix was only 5 lines but it took me quite a while to locate the
> proper 5 lines :-)
>
> Thanks!
> -Tom
Tom

After applying the fix, the following messages are produced (this is with 
OPTIMIZE=15):

iptables v1.4.9.1: Couldn''t load target 
`sticky'':/usr/local/libexec/xtables/libipt_sticky.so: cannot open
shared
object file: No such file or directory

ERROR: Command "/usr/local/sbin/iptables -A tcpre -s 192.168.120.0/24 -d 
0.0.0.0 -j sticky" Failed

--------------------------------------------------------------------------------------------------------------------

With OPTIMIZE=0 the following messages are produced:

iptables: Chain already exists.
ERROR: Command "/usr/local/sbin/iptables :sticky - [0:0]" Failed

Steven.


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 9:40 AM, Steven Jan Springl wrote:
> After applying the fix, the following messages are produced (this is with 
> OPTIMIZE=15):
> 
> iptables v1.4.9.1: Couldn''t load target 
> `sticky'':/usr/local/libexec/xtables/libipt_sticky.so: cannot open
shared
> object file: No such file or directory
> 
> ERROR: Command "/usr/local/sbin/iptables -A tcpre -s 192.168.120.0/24
-d
> 0.0.0.0 -j sticky" Failed
> 
>
--------------------------------------------------------------------------------------------------------------------
> 
> With OPTIMIZE=0 the following messages are produced:
> 
> iptables: Chain already exists.
> ERROR: Command "/usr/local/sbin/iptables :sticky - [0:0]" Failed
Before sending me the config, please try the attached patch.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Saturday 11 September 2010 17:38:04 Tom Eastep wrote:
> On 9/11/10 9:06 AM, Tom Eastep wrote:
> > On 9/11/10 7:40 AM, Steven Jan Springl wrote:
> >> tcrules entry:
> >>
> >> SAME:P  192.168.120.0/24  0.0.0.0
> >>
> >> produces the following messages:
> >>
> >> iptables v1.4.9.1: Cannot use -A with -A
> >>
> >> ERROR: Command "/usr/local/sbin/iptables -A setsticky -A -s
> >> 192.168.120.0/24 -d 0.0.0.0 -m mark --mark 0x1/0xff -m recent
--name
> >> sticky001 --set" Failed
> >
> > Steven,
> >
> > Commit dbc9f6ac8fa164a157239401af87fbf51f29ecd2 corrects this problem.
> > The fix was only 5 lines but it took me quite a while to locate the
> > proper 5 lines :-)
>
> There were actually two defects. The first is the one you found. After I
> corrected that one, then OPTIMIZE=15 generated invalid iptables input.
>
> I just corrected the case where SAME is used with SOURCE $FW;
that''s
> commit 367fc041b8b34deb60bc6bdd821a9de5333f2c06.
>
> -Tom
Tom

I can''t find this commit.

Steven.


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 10:43 AM, Steven Jan Springl wrote:
> On Saturday 11 September 2010 17:38:04 Tom Eastep wrote:
>> I just corrected the case where SAME is used with SOURCE $FW;
that''s
>> commit 367fc041b8b34deb60bc6bdd821a9de5333f2c06.
> 
> I can''t find this commit.
Sorry -- it''s there now.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Saturday 11 September 2010 18:50:13 Tom Eastep wrote:
> On 9/11/10 10:43 AM, Steven Jan Springl wrote:
> > On Saturday 11 September 2010 17:38:04 Tom Eastep wrote:
> >> I just corrected the case where SAME is used with SOURCE $FW;
that''s
> >> commit 367fc041b8b34deb60bc6bdd821a9de5333f2c06.
> >
> > I can''t find this commit.
>
> Sorry -- it''s there now.
>
> -Tom
Tom

I have applied commits 367fc041b8b34deb60bc6bdd821a9de5333f2c06 and
d9ced1051a3e4ca4cee1a8295f445ba7fbbead59

They have cured both the OPTIMIZE=15 & OPTIMIZE=0 problems.

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 11:05 AM, Steven Jan Springl wrote:
> On Saturday 11 September 2010 18:50:13 Tom Eastep wrote:
>> On 9/11/10 10:43 AM, Steven Jan Springl wrote:
>>> On Saturday 11 September 2010 17:38:04 Tom Eastep wrote:
>>>> I just corrected the case where SAME is used with SOURCE $FW;
that''s
>>>> commit 367fc041b8b34deb60bc6bdd821a9de5333f2c06.
>>>
>>> I can''t find this commit.
>>
>> Sorry -- it''s there now.
>>
>> -Tom
> 
> Tom
> 
> I have applied commits 367fc041b8b34deb60bc6bdd821a9de5333f2c06 and
> d9ced1051a3e4ca4cee1a8295f445ba7fbbead59
> 
> They have cured both the OPTIMIZE=15 & OPTIMIZE=0 problems.
Excellent! When you have time, please add
e93a7fe9df34ce9e3b3e03e7535ce278a654e4d6 and see if it still works.

As always, thanks for your help,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Saturday 11 September 2010 19:13:19 Tom Eastep wrote:
> On 9/11/10 11:05 AM, Steven Jan Springl wrote:
> > On Saturday 11 September 2010 18:50:13 Tom Eastep wrote:
> >> On 9/11/10 10:43 AM, Steven Jan Springl wrote:
> >>> On Saturday 11 September 2010 17:38:04 Tom Eastep wrote:
> >>>> I just corrected the case where SAME is used with SOURCE
$FW; that''s
> >>>> commit 367fc041b8b34deb60bc6bdd821a9de5333f2c06.
> >>>
> >>> I can''t find this commit.
> >>
> >> Sorry -- it''s there now.
> >>
> >> -Tom
> >
> > Tom
> >
> > I have applied commits 367fc041b8b34deb60bc6bdd821a9de5333f2c06 and
> > d9ced1051a3e4ca4cee1a8295f445ba7fbbead59
> >
> > They have cured both the OPTIMIZE=15 & OPTIMIZE=0 problems.
>
> Excellent! When you have time, please add
> e93a7fe9df34ce9e3b3e03e7535ce278a654e4d6 and see if it still works.
>
> As always, thanks for your help,
> -Tom
Tom

e93a7fe9df34ce9e3b3e03e7535ce278a654e4d6 works with both OPTIMIZE=15 and 
OPTIMIZE=0.

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 11:39 AM, Steven Jan Springl wrote:
> 
> e93a7fe9df34ce9e3b3e03e7535ce278a654e4d6 works with both OPTIMIZE=15 and 
> OPTIMIZE=0.
> 
Thanks, Steven!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Friday 10 September 2010 18:45:24 Tom Eastep wrote:
> Beta 4 is now available for testing.
>
> Problems Corrected:
>
> None.
>
> New Features:
>
> 1)  Shorewall now supports the SECMARK and CONNSECMARK targets for
>     manipulating the SELinux context of packets.
>
>     See the shorewall-secmarks and shorewall6-secmarks manpages for
>     details.
>
>     As part of this change, the tcrules file now accepts chain
>     designators ''I'' and ''CI'' for
marking packets in the input chain.
>
Tom

I am having problems using the new designators ''I'' and
''CI''.

If I code tcrules entry:

25:CI  192.168.2.0/24  fw

I get the following message:

ERROR: Invalid MARK (25:CI) : /etc/shorewall2/tcrules (line 21)

Am I doing something wrong or is this a bug?

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 12:18 PM, Steven Jan Springl wrote:
> On Friday 10 September 2010 18:45:24 Tom Eastep wrote:
>> Beta 4 is now available for testing.
>>
>> Problems Corrected:
>>
>> None.
>>
>> New Features:
>>
>> 1)  Shorewall now supports the SECMARK and CONNSECMARK targets for
>>     manipulating the SELinux context of packets.
>>
>>     See the shorewall-secmarks and shorewall6-secmarks manpages for
>>     details.
>>
>>     As part of this change, the tcrules file now accepts chain
>>     designators ''I'' and ''CI'' for
marking packets in the input chain.
>>
> 
> Tom
> 
> I am having problems using the new designators ''I'' and
''CI''.
> 
> If I code tcrules entry:
> 
> 25:CI  192.168.2.0/24  fw
> 
> I get the following message:
> 
> ERROR: Invalid MARK (25:CI) : /etc/shorewall2/tcrules (line 21)
> 
> Am I doing something wrong or is this a bug?
It''s a documentation issue. I removed the ''I'' chain
designator; all you
need is $FW in the DEST column.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Saturday 11 September 2010 20:28:14 Tom Eastep wrote:
> On 9/11/10 12:18 PM, Steven Jan Springl wrote:
> > On Friday 10 September 2010 18:45:24 Tom Eastep wrote:
> >> Beta 4 is now available for testing.
> >>
> >> Problems Corrected:
> >>
> >> None.
> >>
> >> New Features:
> >>
> >> 1)  Shorewall now supports the SECMARK and CONNSECMARK targets for
> >>     manipulating the SELinux context of packets.
> >>
> >>     See the shorewall-secmarks and shorewall6-secmarks manpages
for
> >>     details.
> >>
> >>     As part of this change, the tcrules file now accepts chain
> >>     designators ''I'' and ''CI''
for marking packets in the input chain.
> >
> > Tom
> >
> > I am having problems using the new designators ''I''
and ''CI''.
> >
> > If I code tcrules entry:
> >
> > 25:CI  192.168.2.0/24  fw
> >
> > I get the following message:
> >
> > ERROR: Invalid MARK (25:CI) : /etc/shorewall2/tcrules (line 21)
> >
> > Am I doing something wrong or is this a bug?
>
> It''s a documentation issue. I removed the ''I''
chain designator; all you
> need is $FW in the DEST column.
>
> -Tom
Tom

Thanks.

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

Tom

tcrules entry:

SAME  eth0  eth0

produces the following message from "shorewall start"

Bad argument ''echo''


and produces the following messages from "shorewall debug start":

/var/lib/shorewall/.start: line 838: 3: Bad file descriptor

   ERROR: Command "/usr/local/sbin/iptables -A setsticky echo "-i eth0
-d  -m
mark --mark 0x1/0xff -m recent --name sticky002 --set" >&3"
Failed

Steven.


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

> tcrules entry:
> 
> SAME  eth0  eth0
> 
> produces the following message from "shorewall start"
> 
> Bad argument ''echo''
> 
> 
> and produces the following messages from "shorewall debug start":
> 
> /var/lib/shorewall/.start: line 838: 3: Bad file descriptor
> 
>    ERROR: Command "/usr/local/sbin/iptables -A setsticky echo "-i
eth0 -d  -m
> mark --mark 0x1/0xff -m recent --name sticky002 --set"
>&3" Failed
Steven,

Please verify that the attached patch corrects the problem.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 1:12 PM, Tom Eastep wrote:
> 
>> tcrules entry:
>>
>> SAME  eth0  eth0
>>
>> produces the following message from "shorewall start"
>>
>> Bad argument ''echo''
>>
>>
>> and produces the following messages from "shorewall debug
start":
>>
>> /var/lib/shorewall/.start: line 838: 3: Bad file descriptor
>>
>>    ERROR: Command "/usr/local/sbin/iptables -A setsticky echo
"-i eth0 -d  -m
>> mark --mark 0x1/0xff -m recent --name sticky002 --set"
>&3" Failed
> 
> Steven,
> 
> Please verify that the attached patch corrects the problem.
Please disregard that patch -- it is insufficient.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 1:15 PM, Tom Eastep wrote:
> On 9/11/10 1:12 PM, Tom Eastep wrote:
>>
>>> tcrules entry:
>>>
>>> SAME  eth0  eth0
>>>
>>> produces the following message from "shorewall start"
>>>
>>> Bad argument ''echo''
>>>
>>>
>>> and produces the following messages from "shorewall debug
start":
>>>
>>> /var/lib/shorewall/.start: line 838: 3: Bad file descriptor
>>>
>>>    ERROR: Command "/usr/local/sbin/iptables -A setsticky echo
"-i eth0 -d  -m
>>> mark --mark 0x1/0xff -m recent --name sticky002 --set"
>&3" Failed
>>
>> Steven,
>>
>> Please verify that the attached patch corrects the problem.
> 
> Please disregard that patch -- it is insufficient.
This one "fixes" it. Specifying an OUTPUT interface in a SAME rule is
silly anyway.

-Tom

PS -- reverse echo.patch if you''ve applied it.
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Saturday 11 September 2010 21:39:06 Tom Eastep wrote:
> On 9/11/10 1:15 PM, Tom Eastep wrote:
> > On 9/11/10 1:12 PM, Tom Eastep wrote:
> >>> tcrules entry:
> >>>
> >>> SAME  eth0  eth0
> >>>
> >>> produces the following message from "shorewall
start"
> >>>
> >>> Bad argument ''echo''
> >>>
> >>>
> >>> and produces the following messages from "shorewall debug
start":
> >>>
> >>> /var/lib/shorewall/.start: line 838: 3: Bad file descriptor
> >>>
> >>>    ERROR: Command "/usr/local/sbin/iptables -A setsticky
echo "-i eth0
> >>> -d  -m mark --mark 0x1/0xff -m recent --name sticky002
--set" >&3"
> >>> Failed
> >>
> >> Steven,
> >>
> >> Please verify that the attached patch corrects the problem.
> >
> > Please disregard that patch -- it is insufficient.
>
> This one "fixes" it. Specifying an OUTPUT interface in a SAME
rule is
> silly anyway.
>
> -Tom
>
> PS -- reverse echo.patch if you''ve applied it.
Tom

I now get the following error message:

ERROR: Internal error in Shorewall::Providers::handle_stickiness 
at /usr/share/shorewall/Shorewall/Providers.pm line 1011

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 2:26 PM, Steven Jan Springl wrote:
> On Saturday 11 September 2010 21:39:06 Tom Eastep wrote:
>> On 9/11/10 1:15 PM, Tom Eastep wrote:
>>> On 9/11/10 1:12 PM, Tom Eastep wrote:
>>>>> tcrules entry:
>>>>>
>>>>> SAME  eth0  eth0
>>>>>
>>>>> produces the following message from "shorewall
start"
>>>>>
>>>>> Bad argument ''echo''
>>>>>
>>>>>
>>>>> and produces the following messages from "shorewall
debug start":
>>>>>
>>>>> /var/lib/shorewall/.start: line 838: 3: Bad file descriptor
>>>>>
>>>>>    ERROR: Command "/usr/local/sbin/iptables -A
setsticky echo "-i eth0
>>>>> -d  -m mark --mark 0x1/0xff -m recent --name sticky002
--set" >&3"
>>>>> Failed
>>>>
>>>> Steven,
>>>>
>>>> Please verify that the attached patch corrects the problem.
>>>
>>> Please disregard that patch -- it is insufficient.
>>
>> This one "fixes" it. Specifying an OUTPUT interface in a SAME
rule is
>> silly anyway.
>>
>> -Tom
>>
>> PS -- reverse echo.patch if you''ve applied it.
> 
> Tom
> 
> I now get the following error message:
> 
> ERROR: Internal error in Shorewall::Providers::handle_stickiness 
> at /usr/share/shorewall/Shorewall/Providers.pm line 1011
Did you apply both hunks? The change to Chains.pm should generate a more
readable error before the point where the internal error is produced.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 2:41 PM, Tom Eastep wrote:
> On 9/11/10 2:26 PM, Steven Jan Springl wrote:
>> On Saturday 11 September 2010 21:39:06 Tom Eastep wrote:
>>> On 9/11/10 1:15 PM, Tom Eastep wrote:
>>>> On 9/11/10 1:12 PM, Tom Eastep wrote:
>>>>>> tcrules entry:
>>>>>>
>>>>>> SAME  eth0  eth0
>>>>>>
>>>>>> produces the following message from "shorewall
start"
>>>>>>
>>>>>> Bad argument ''echo''
>>>>>>
>>>>>>
>>>>>> and produces the following messages from
"shorewall debug start":
>>>>>>
>>>>>> /var/lib/shorewall/.start: line 838: 3: Bad file
descriptor
>>>>>>
>>>>>>    ERROR: Command "/usr/local/sbin/iptables -A
setsticky echo "-i eth0
>>>>>> -d  -m mark --mark 0x1/0xff -m recent --name sticky002
--set" >&3"
>>>>>> Failed
>>>>>
>>>>> Steven,
>>>>>
>>>>> Please verify that the attached patch corrects the problem.
>>>>
>>>> Please disregard that patch -- it is insufficient.
>>>
>>> This one "fixes" it. Specifying an OUTPUT interface in a
SAME rule is
>>> silly anyway.
>>>
>>> -Tom
>>>
>>> PS -- reverse echo.patch if you''ve applied it.
>>
>> Tom
>>
>> I now get the following error message:
>>
>> ERROR: Internal error in Shorewall::Providers::handle_stickiness 
>> at /usr/share/shorewall/Shorewall/Providers.pm line 1011
> 
> Did you apply both hunks? The change to Chains.pm should generate a more
> readable error before the point where the internal error is produced.
Sorry -- I misunderstood. This error is occurring on

	"SAME:P x.x.x.x/yy..." rules

I''ve reproduced it.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 3:16 PM, Tom Eastep wrote:
> 
> Sorry -- I misunderstood. This error is occurring on
> 
> 	"SAME:P x.x.x.x/yy..." rules
> 
> I''ve reproduced it.
I think I''ve corrected all of the issues surrounding SAME. That feature
was totally overlooked in the optimization changes that I made in 4.4.9.

Thanks for your patience,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Saturday 11 September 2010 23:16:40 Tom Eastep wrote:
> On 9/11/10 2:41 PM, Tom Eastep wrote:
> > On 9/11/10 2:26 PM, Steven Jan Springl wrote:
> >> On Saturday 11 September 2010 21:39:06 Tom Eastep wrote:
> >>> On 9/11/10 1:15 PM, Tom Eastep wrote:
> >>>> On 9/11/10 1:12 PM, Tom Eastep wrote:
> >>>>>> tcrules entry:
> >>>>>>
> >>>>>> SAME  eth0  eth0
> >>>>>>
> >>>>>> produces the following message from
"shorewall start"
> >>>>>>
> >>>>>> Bad argument ''echo''
> >>>>>>
> >>>>>>
> >>>>>> and produces the following messages from
"shorewall debug start":
> >>>>>>
> >>>>>> /var/lib/shorewall/.start: line 838: 3: Bad file
descriptor
> >>>>>>
> >>>>>>    ERROR: Command "/usr/local/sbin/iptables
-A setsticky echo "-i
> >>>>>> eth0 -d  -m mark --mark 0x1/0xff -m recent --name
sticky002 --set"
> >>>>>> >&3" Failed
> >>>>>
> >>>>> Steven,
> >>>>>
> >>>>> Please verify that the attached patch corrects the
problem.
> >>>>
> >>>> Please disregard that patch -- it is insufficient.
> >>>
> >>> This one "fixes" it. Specifying an OUTPUT interface
in a SAME rule is
> >>> silly anyway.
> >>>
> >>> -Tom
> >>>
> >>> PS -- reverse echo.patch if you''ve applied it.
> >>
> >> Tom
> >>
> >> I now get the following error message:
> >>
> >> ERROR: Internal error in Shorewall::Providers::handle_stickiness
> >> at /usr/share/shorewall/Shorewall/Providers.pm line 1011
> >
> > Did you apply both hunks? The change to Chains.pm should generate a
more
> > readable error before the point where the internal error is produced.
>
> Sorry -- I misunderstood. This error is occurring on
>
> 	"SAME:P x.x.x.x/yy..." rules
>
> I''ve reproduced it.
>
> -Tom
Tom

It''s me that should be apologising to you. I look after a severly
disabled
parent which means that that I can''t always respond to your requests
for
further information in a timely fashion. Be assured that as soon as I can 
respond, I will. 

I have confirmed that both chunks of the patch have been applied.

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 3:35 PM, Steven Jan Springl wrote:
> It''s me that should be apologising to you. I look after a severly
disabled
> parent which means that that I can''t always respond to your
requests for
> further information in a timely fashion. Be assured that as soon as I can 
> respond, I will.
I completely understand. Having cared for both of my parents, I
appreciate what you are dealing with.
> 
> I have confirmed that both chunks of the patch have been applied.
As I mentioned, I think I''ve fixed everything. I recommend getting the
changes from Git since they are somewhat disjoint.

Thanks again, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Saturday 11 September 2010 23:44:45 Tom Eastep wrote:
> As I mentioned, I think I''ve fixed everything. I recommend getting
the
> changes from Git since they are somewhat disjoint.
>
> Thanks again, Steven
>
> -Tom
Tom

It all seems to be working now. Thanks.

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

Just a query really:

Is it possible to use ipsets in the secmarks file?

This is not mentioned in the man pages so I presume that I can''t. If 
that is the case could this be included? Ideally, I would like to be 
able to use it in the same way as I do in my rules file, i.e. 
eth0:+vpn-ec2-host[dst,dst] (to be able to specify ports as well as 
hosts or a combination thereof).

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/11/10 4:29 PM, Mr Dash Four wrote:
> Just a query really:
> 
> Is it possible to use ipsets in the secmarks file?
Yes.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

>> Is it possible to use ipsets in the secmarks file?
>>     
>
> Yes.
>   
Tested it, albeit very briefly, yesterday and it did seem to work - I 
will have a more thorough run-through later this week as I will be ready 
with the SELinux policies controlling all the traffic.

What I like about ipsets is that they are dynamic and can be changed 
''on-the-fly'' without the need to restart/reload Shorewall - an
ipset
could have one set of values/members now and completely different the 
next time - very handy for testing!


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/12/10 3:37 PM, Mr Dash Four wrote:
> 
>>> Is it possible to use ipsets in the secmarks file?
>>>     
>>
>> Yes.
>>   
> Tested it, albeit very briefly, yesterday and it did seem to work - I 
> will have a more thorough run-through later this week as I will be ready 
> with the SELinux policies controlling all the traffic.
> 
> What I like about ipsets is that they are dynamic and can be changed 
> ''on-the-fly'' without the need to restart/reload Shorewall
- an ipset
> could have one set of values/members now and completely different the 
> next time - very handy for testing!
Shorewall has one source-match generator and one destination-match
generator that are used anytime an address match is needed; both accept
ipsets.

Don''t know if you noticed but destination blacklisting should now work
that way you prefer. Just don''t look for a jump in fw2net; blacklisting
occurs before that chain is entered.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

> Shorewall has one source-match generator and one destination-match
> generator that are used anytime an address match is needed; both accept
> ipsets.
>   
So Source/Destination works the same way no matter where it is 
specified? Makes perfect sense from a programmers point of view and 
makes policy-writing consistent across the board.
> Don''t know if you noticed but destination blacklisting should now
work
> that way you prefer. Just don''t look for a jump in fw2net;
blacklisting
> occurs before that chain is entered.
>   
I didn''t notice this until your comment above and then read it in the 
release notes for beta4. That''s very good and it was needed - I had to 
maintain 2 separate files, not to mention that I had to include all 
interfaces in the blacklisted ipsets. I take it this now works across 
all interfaces (no matter how many are on the host system) and in both 
directions, right?


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/13/10 1:15 AM, Mr Dash Four wrote:
> 
>> Shorewall has one source-match generator and one destination-match
>> generator that are used anytime an address match is needed; both accept
>> ipsets.
>>   
> So Source/Destination works the same way no matter where it is 
> specified? Makes perfect sense from a programmers point of view and 
> makes policy-writing consistent across the board.
Yes and Yes.
> 
>> Don''t know if you noticed but destination blacklisting should
now work
>> that way you prefer. Just don''t look for a jump in fw2net;
blacklisting
>> occurs before that chain is entered.
>>   
> I didn''t notice this until your comment above and then read it in
the
> release notes for beta4. That''s very good and it was needed - I
had to
> maintain 2 separate files, not to mention that I had to include all 
> interfaces in the blacklisted ipsets. I take it this now works across 
> all interfaces (no matter how many are on the host system) and in both 
> directions, right?
No -- please read the documentation again. You need blacklist=1 on
Internet-facing interfaces and blacklist=2 on the other interfaces for
which you wish to enable destination blacklisting. But you only need to
maintain one blacklist (/etc/shorewall/blacklist).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

> You need blacklist=1 on
> Internet-facing interfaces and blacklist=2 on the other interfaces for
> which you wish to enable destination blacklisting. But you only need to
> maintain one blacklist (/etc/shorewall/blacklist).
>   
It would have been nice if I could use "from,to" or "both"
in the
options column instead of adding a separate line in the blacklist file 
for each direction.


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

Tom

Interface entry:

rest  xyz  nets=dynamic,optional

produces the following message:

iptables-restore v1.4.9.1: Set rest_xyz doesn''t exist.

Note: Shorewall starts when a host entry such as the following is defined, so 
I know that ipset is working:

z1  eth1:dynamic  tcpflags

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/13/10 11:57 AM, Mr Dash Four wrote:
> 
>> You need blacklist=1 on
>> Internet-facing interfaces and blacklist=2 on the other interfaces for
>> which you wish to enable destination blacklisting. But you only need to
>> maintain one blacklist (/etc/shorewall/blacklist).
>>   
> It would have been nice if I could use "from,to" or
"both" in the
> options column instead of adding a separate line in the blacklist file 
> for each direction.
I had already planned to add ''from,to''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 9/13/10 12:29 PM, Steven Jan Springl wrote:
> Tom
> 
> Interface entry:
> 
> rest  xyz  nets=dynamic,optional
> 
> produces the following message:
> 
> iptables-restore v1.4.9.1: Set rest_xyz doesn''t exist.
> 
> Note: Shorewall starts when a host entry such as the following is defined,
so
> I know that ipset is working:
> 
> z1  eth1:dynamic  tcpflags
what does ''fgrep IPSET <compiled script>'' produce,
Steven?

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Monday 13 September 2010 21:18:25 Tom Eastep wrote:
> On 9/13/10 12:29 PM, Steven Jan Springl wrote:
> > Tom
> >
> > Interface entry:
> >
> > rest  xyz  nets=dynamic,optional
> >
> > produces the following message:
> >
> > iptables-restore v1.4.9.1: Set rest_xyz doesn''t exist.
> >
> > Note: Shorewall starts when a host entry such as the following is
> > defined, so I know that ipset is working:
> >
> > z1  eth1:dynamic  tcpflags
>
> what does ''fgrep IPSET <compiled script>'' produce,
Steven?
>
> Thanks,
> -Tom
Tom

See attached file.

Steven.


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On 09/13/2010 01:26 PM, Steven Jan Springl wrote:
> On Monday 13 September 2010 21:18:25 Tom Eastep wrote:
>> On 9/13/10 12:29 PM, Steven Jan Springl wrote:
>>> Interface entry:
>>>
>>> rest  xyz  nets=dynamic,optional
>>>
>>> produces the following message:
>>>
>>> iptables-restore v1.4.9.1: Set rest_xyz doesn''t exist.
>>>
>>> Note: Shorewall starts when a host entry such as the following is
>>> defined, so I know that ipset is working:
>>>
>>> z1  eth1:dynamic  tcpflags
>>
>> what does ''fgrep IPSET <compiled script>''
produce, Steven?
> See attached file.
Steven,

I can''t understand why z1_eth1 would be created and rest_xyz would not;
the
lines that create the two sets if they don''t exist should be adjacent
in the
script.

	qt $IPSET -L rest_xyz -n || $IPSET -N rest_xyz iphash
	qt $IPSET -L z1_eth1 -n || $IPSET -N z1_eth1 iphash

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing
http://p.sf.net/sfu/novell-sfdev2dev

On Monday 13 September 2010 21:48:57 Tom Eastep wrote:
> On 09/13/2010 01:26 PM, Steven Jan Springl wrote:
> > On Monday 13 September 2010 21:18:25 Tom Eastep wrote:
> >> On 9/13/10 12:29 PM, Steven Jan Springl wrote:
> >>> Interface entry:
> >>>
> >>> rest  xyz  nets=dynamic,optional
> >>>
> >>> produces the following message:
> >>>
> >>> iptables-restore v1.4.9.1: Set rest_xyz doesn''t
exist.
> >>>
> >>> Note: Shorewall starts when a host entry such as the following
is
> >>> defined, so I know that ipset is working:
> >>>
> >>> z1  eth1:dynamic  tcpflags
> >>
> >> what does ''fgrep IPSET <compiled script>''
produce, Steven?
> >
> > See attached file.
>
> Steven,
>
> I can''t understand why z1_eth1 would be created and rest_xyz would
not; the
> lines that create the two sets if they don''t exist should be
adjacent in
> the script.
>
> 	qt $IPSET -L rest_xyz -n || $IPSET -N rest_xyz iphash
> 	qt $IPSET -L z1_eth1 -n || $IPSET -N z1_eth1 iphash
>
> -Tom
Tom

If I start the firewall without an interface defined as dynamic.
Change an interface to dynamic and restart the firewall, it works.

In the attached part of the script generated from a ''shorewall compile
... ''
it can be seen that IPSET is not executed on a  ''shorewall
start''

Steven. 



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On 9/13/10 3:11 PM, Steven Jan Springl wrote:
> 
> If I start the firewall without an interface defined as dynamic.
> Change an interface to dynamic and restart the firewall, it works.
> 
> In the attached part of the script generated from a ''shorewall
compile ... ''
> it can be seen that IPSET is not executed on a  ''shorewall
start''
> 
The attached patch seems to generate the correct code for
''start''.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On Monday 13 September 2010 23:50:52 Tom Eastep wrote:
> On 9/13/10 3:11 PM, Steven Jan Springl wrote:
> > If I start the firewall without an interface defined as dynamic.
> > Change an interface to dynamic and restart the firewall, it works.
> >
> > In the attached part of the script generated from a
''shorewall compile
> > ... '' it can be seen that IPSET is not executed on a 
''shorewall start''
>
> The attached patch seems to generate the correct code for
''start''.
>
> Thanks, Steven
>
> -Tom
Tom

The patch works for me too. Thanks.

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev