Shorewall devel - Sep 2010 - Shorewall 4.4.14 Beta 1

Beta 1 is now available for testing. It has a single enhancement over
4.4.13:

1)  Multiple source or destination ipset matches can be generated by
    enclosing the ipset list in [...].

    Example (/etc/shorewall/rules):

        ACCEPT $FW net:+[dest-ip-map,dest-port-map]

See shorewall-ipsets(5) for additional information.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

> Beta 1 is now available for testing. It has a single enhancement over
> 4.4.13:
>
> 1)  Multiple source or destination ipset matches can be generated by
>     enclosing the ipset list in [...].
>
>     Example (/etc/shorewall/rules):
>
>         ACCEPT $FW net:+[dest-ip-map,dest-port-map]
>
> See shorewall-ipsets(5) for additional information.
>
> Thank you for testing,
>   
OK, I''ve done some testing and it works, though I came across something
I am not sure it is to do with Shorewall:

1. ipset allows for macipmap to be defined - that is ip,mac 
combinations. Even though I did define such a set and set it properly in 
my rules file (which Shorewall translated properly) I do not seem to be 
able to get a match - don''t know why.

For example, I''ve set my local test bed with its ip,mac combo (i.e. 
src-ip-set[src,src]), I''ve got Shorewall''s translation as
match-set
src-ip-set src,src, which seems to be right, though I cannot get any 
matches on that rule!

2. Shorewall allows for some, frankly, ridiculous combinations like

DROP $FW:+[ip-set[src],ip-port-map[dst,dst]] 
net:+[ip-set[dst],ip-port-map[src,src]]

The above translates without error and produces matches, which are then 
passed on to iptables (successfully!), though there is absolutely no 
chance of the above rule producing any match. I have no idea if/how you 
could stop this (or if you should bother!).

On another note - as I compile my kernel manually (have introduced some 
''enhancements'' of my own) I also compile and build xtables
addons from
source.

It turns out that, for some unknown reason, ipportiphash and 
ipportnethash (supporting ip-port-ip and ip-port-net sets) is NOT built 
in, though the source is compiled and .ko files are produced. When I try 
to use these two maps (needed to go further with the testing) I get an 
error saying these two maps are not supported. Bizarre!

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On 09/22/2010 11:08 AM, Mr Dash Four wrote:
> OK, I''ve done some testing and it works, though I came across
something
> I am not sure it is to do with Shorewall:
> 
> 1. ipset allows for macipmap to be defined - that is ip,mac 
> combinations. Even though I did define such a set and set it properly in 
> my rules file (which Shorewall translated properly) I do not seem to be 
> able to get a match - don''t know why.
> 
> For example, I''ve set my local test bed with its ip,mac combo
(i.e.
> src-ip-set[src,src]), I''ve got Shorewall''s translation as
match-set
> src-ip-set src,src, which seems to be right, though I cannot get any 
> matches on that rule!
That''s the correct translation so I don''t know what Shorewall
could do
differently.
> 
> 2. Shorewall allows for some, frankly, ridiculous combinations like
> 
> DROP $FW:+[ip-set[src],ip-port-map[dst,dst]] 
> net:+[ip-set[dst],ip-port-map[src,src]]
> 
> The above translates without error and produces matches, which are then 
> passed on to iptables (successfully!), though there is absolutely no 
> chance of the above rule producing any match. I have no idea if/how you 
> could stop this (or if you should bother!).
Given that the sets need not even exist on the system where the compilation
is being done, I don''t believe that Shorewall should be in the business
of
trying to decide what combinations are reasonable and what
aren''t.
> 
> On another note - as I compile my kernel manually (have introduced some 
> ''enhancements'' of my own) I also compile and build
xtables addons from
> source.
> 
> It turns out that, for some unknown reason, ipportiphash and 
> ipportnethash (supporting ip-port-ip and ip-port-net sets) is NOT built 
> in, though the source is compiled and .ko files are produced. When I try 
> to use these two maps (needed to go further with the testing) I get an 
> error saying these two maps are not supported. Bizarre!
Are the modules being loaded?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

>> For example, I''ve set my local test bed with its ip,mac combo
(i.e.
>> src-ip-set[src,src]), I''ve got Shorewall''s
translation as match-set
>> src-ip-set src,src, which seems to be right, though I cannot get any 
>> matches on that rule!
>>     
>
> That''s the correct translation so I don''t know what
Shorewall could do
> differently.
>   
Me neither, hence I wasn''t sure it is Shorewall issue.

> Are the modules being loaded?
>   
Not only they are not loaded, they do NOT exist in the /lib/modules 
directory at all. The source is compiled, the .o, .so files are created, 
but that''s about it!

There is a file called modules.order, which seems to be automatically 
generated and it does not contain the two .ko files 
(ip_set_ipportiphash.ko and ipportnethash.ko). Another file, Kbuild, is 
present (don''t know whether it is automatically generated or not) and
it
does not contain these file names either.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On 9/22/10 11:36 AM, Mr Dash Four wrote:
> 
>>> For example, I''ve set my local test bed with its ip,mac
combo (i.e.
>>> src-ip-set[src,src]), I''ve got Shorewall''s
translation as match-set
>>> src-ip-set src,src, which seems to be right, though I cannot get
any
>>> matches on that rule!
>>>     
>>
>> That''s the correct translation so I don''t know what
Shorewall could do
>> differently.
>>   
> Me neither, hence I wasn''t sure it is Shorewall issue.
> 
> 
>> Are the modules being loaded?
>>   
> Not only they are not loaded, they do NOT exist in the /lib/modules 
> directory at all. The source is compiled, the .o, .so files are created, 
> but that''s about it!
> 
> There is a file called modules.order, which seems to be automatically 
> generated and it does not contain the two .ko files 
> (ip_set_ipportiphash.ko and ipportnethash.ko). Another file, Kbuild, is 
> present (don''t know whether it is automatically generated or not)
and it
> does not contain these file names either.
Sounds like an xtables-addons Makefile issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

> Sounds like an xtables-addons Makefile issue.
>   
Thanks, I am actually typing a message to our friends at netfilter-devel 
as they are the owners/maintainers of xtables apparently. I am amazed - 
is there nobody testing these things before a release? This is a 
fundamental issue.

The funny thing is that when I type ipset --help ipportiphash (or ipset 
--help ipportnethash) the command seems to be recognised (same with the 
man pages), but when I actually try to use it it all falls apart!

Oh, well...

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On 9/22/10 12:14 PM, Mr Dash Four wrote:
> 
> The funny thing is that when I type ipset --help ipportiphash (or ipset 
> --help ipportnethash) the command seems to be recognised (same with the 
> man pages), but when I actually try to use it it all falls apart!
> 
The xtables library is getting built and installed correctly; the kernel
module is not.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

> The xtables library is getting built and installed correctly; the kernel
> module is not.
>   
Well, I must be going insane, because, would you believe this, I can''t 
even build xtables now! I am getting the following error:

CC libxt_CHAOS.oo
libxt_CHAOS.c:99: warning: implicit declaration of function ‘ALIGN’
libxt_CHAOS.c:99: error: initializer element is not constant
libxt_CHAOS.c:99: error: (near initialization for ‘chaos_tg_reg.size’)
libxt_CHAOS.c:100: error: initializer element is not constant
libxt_CHAOS.c:100: error: (near initialization for 
‘chaos_tg_reg.userspacesize’)
make[3]: *** [libxt_CHAOS.oo] Error 1


At first I thought it is your patch to blame, but I just installed 
vanilla iptables-* and I get the same result!

A couple of days ago I was able to build the damn thing - from source - 
as I changed the kernel and had to compile and build xtables after the 
new kernel was installed. That was done successfully and now when I am 
trying to do the same thing - I bloody can''t!

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On 9/22/10 4:50 PM, Mr Dash Four wrote:
> 
> At first I thought it is your patch to blame, but I just installed 
> vanilla iptables-* and I get the same result!
> 
> A couple of days ago I was able to build the damn thing - from source - 
> as I changed the kernel and had to compile and build xtables after the 
> new kernel was installed. That was done successfully and now when I am 
> trying to do the same thing - I bloody can''t!
I see on the Netfilter list that your run Fedora -- IMHO, you are
getting what you asked for. Fedora is much too "bleeding edge" for me.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

> I see on the Netfilter list that your run Fedora -- IMHO, you are
> getting what you asked for. Fedora is much too "bleeding edge"
for me.
>   
Yeah, may be I should consider running CentOS.

To be frank, apart from the recent iptables/xtables problems and the 
impending netfilter enhancements I do not have a problem with Fedora 
(and I have been using it since it was known as RedHat 8) - I am used to 
it. Though, I have to admit what REALLY pisses me off is how crap the 
hibernation feature in Fedora is - I mean, it crashes out every 4-5 
times after I''ve done it. Is this equally bad on all other Linux 
distributions?


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On Thu, Sep 23, 2010 at 11:54:20AM +0100, Mr Dash Four
wrote:
> 
> > I see on the Netfilter list that your run Fedora -- IMHO, you are
> > getting what you asked for. Fedora is much too "bleeding
edge" for me.
> >   
> Yeah, may be I should consider running CentOS.
> 
> To be frank, apart from the recent iptables/xtables problems and the 
> impending netfilter enhancements I do not have a problem with Fedora 
> (and I have been using it since it was known as RedHat 8) - I am used to 
> it. Though, I have to admit what REALLY pisses me off is how crap the 
> hibernation feature in Fedora is - I mean, it crashes out every 4-5 
> times after I''ve done it. Is this equally bad on all other Linux 
> distributions?
No it isn''t.  I have never had suspend crash on my Debian systems,
even the ones running Debian unstable.

The fedora developers plainly say Fedora is for developers, not end
users.  End users should be running RHEL instead.  Fedora throws in
lots of untested new stuff to get it tested.  If you don''t like stuff
not working or breaking, then Fedora is by design not what you should
be running.

-- 
Len Sorensen

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

>> Is this equally bad on all other Linux 
>> distributions?
>>     
>
> No it isn''t.  I have never had suspend crash on my Debian systems,
> even the ones running Debian unstable.
>   
Me neither! Hibernate on the other hand...
> The fedora developers plainly say Fedora is for developers, not end
> users.
Really? And how did you figure out that I am "end user"? For the 
uninitiated (like your good self) - I am a developer, and as such I 
expect when something gets released to have, at least, its basic 
functionality level sorted out - "for developers" is not a synonym for
"barely-working" or "plain crap", not in my domain anyway -
you, on the
other hand, have a different view, it seems!
>   End users should be running RHEL instead.  Fedora throws in
> lots of untested new stuff to get it tested.
I thought that''s what Fedora Rawhide is for?
>   If you don''t like stuff
> not working or breaking, then Fedora is by design not what you should
> be running.
>   
Where did I state that? And since when have I asked you for advice on 
what I *should* be running?

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On Thu, Sep 23, 2010 at 8:54 AM, Mr Dash Four
<mr.dash.four@googlemail.com> wrote:
>> The fedora developers plainly say Fedora is for developers, not end
>> users.
> Really? And how did you figure out that I am "end user"? For the
> uninitiated (like your good self) - I am a developer, and as such I
> expect when something gets released to have, at least, its basic
> functionality level sorted out - "for developers" is not a
synonym for
> "barely-working" or "plain crap", not in my domain
anyway - you, on the
> other hand, have a different view, it seems!
If an OS vendor says "for developers" I interpret that to mean one of
two things: either people who are actively developing the OS or people
who are developing third party software. The first group might use it
all the time, with the expectation that when something doesn''t work
they can fix it themselves. The second would only use it to make sure
that the software they are developing isn''t broken by recent changes,
and it would likely be installed only on a separate testing machine.

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

On Thu, Sep 23, 2010 at 02:54:02PM +0100, Mr Dash Four
wrote:
> 
> >> Is this equally bad on all other Linux 
> >> distributions?
> >>     
> >
> > No it isn''t.  I have never had suspend crash on my Debian
systems,
> > even the ones running Debian unstable.
> >   
> Me neither! Hibernate on the other hand...
Well I don''t hibernate very often, but I don''t recall it ever
failing
either.
> Really? And how did you figure out that I am "end user"? For the 
> uninitiated (like your good self) - I am a developer, and as such I 
> expect when something gets released to have, at least, its basic 
> functionality level sorted out - "for developers" is not a
synonym for
> "barely-working" or "plain crap", not in my domain
anyway - you, on the
> other hand, have a different view, it seems!
I make no assumption about what you do.  However your expectations of
what fedora should provide you with clearly does not match with what
the makers of fedora expect to have to provide.  Personally I have
used Debian for many years because I don''t tolerate the quality level
(or lack thereof) that redhat thinks is justified to release.  I used
to be a long time redhat user however.
> >   End users should be running RHEL instead.  Fedora throws in
> > lots of untested new stuff to get it tested.
> I thought that''s what Fedora Rawhide is for?
It is what all of fedora is for.  rawhide is just especially raw.
Fedora is a testbed for RHEL.  If things break, they work on fixing them
so that when they make a new RHEL, it really does work.  They don''t
usually go and break things on purpose, although sometimes they seem to
(kernel mode switching for example was obviuosly still not ready when
they decided feora would be a good place to test it).
> >   If you don''t like stuff
> > not working or breaking, then Fedora is by design not what you should
> > be running.
> >   
> Where did I state that? And since when have I asked you for advice on
> what I *should* be running?
I am not telling you what to run.  I am just pointing out what the vast
majority of fedora users have failed to realize.  You can do what you
want (I certainly hope you do).  Way too many users mistakenly think
Fedora is the replacement for the redhat distribution unfortunately.

-- 
Len Sorensen

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

Tom

I have been testing the new ipset format. It seems to work in the following 
config files:

accounting, blacklist, notrack, rules, tcpri, tcrules & tos

However it is not accepted in config files hosts & maclist.

Hosts entry:

dms  eth0:+[set1,set2]

produces the following message:

ERROR: Invalid ipset name (+[set1) : /etc/shorewall2/hosts (line 29)


Maclist entry:

DROP:0  br1  -  1.1.1.1,+set1

works, but entry:

DROP:0  br1  -  1.1.1.1,+[set1,set2]

produces the following message:

ERROR: An ipset name (+[set1) is not allowed in this 
context : /etc/shorewall2/maclist (line 14)

Steven.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On 09/24/2010 03:29 PM, Steven Jan Springl wrote:
> Tom
> 
> I have been testing the new ipset format. It seems to work in the following
> config files:
> 
> accounting, blacklist, notrack, rules, tcpri, tcrules & tos
> 
> However it is not accepted in config files hosts & maclist.
That''s probably appropriate. I''ll revise the shorewall-ipsets
manpage.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

> 1)  Multiple source or destination ipset matches can be generated by
>     enclosing the ipset list in [...].
>
>     Example (/etc/shorewall/rules):
>
>         ACCEPT $FW net:+[dest-ip-map,dest-port-map]
>   
Converting the ''old'' format from "$FW:!+dest-port[dst]
net:+dest-net" to
"$FW   net:+[dest-net,!dest-port]" gives me ERROR: Invalid DEST
Converting the ''old'' format from "$FW:+dest-port[dst]
net:!+dest-net" to
"$FW   net:+[!dest-net,dest-port]" gives me ERROR: Missing
'']'' (+[)
Converting the ''old'' format from "$FW:!+dest-port[dst]
net:!+dest-net"
to "$FW   net:!+[dest-net,dest-port]" gives me ERROR: An ipset name 
(+[dest-net,dest-port]) is not allowed in this context


------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security 
easier or more difficult to achieve? Read this whitepaper to separate the 
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d

On 10/4/10 11:36 AM, Mr Dash Four wrote:
> 
>> 1)  Multiple source or destination ipset matches can be generated by
>>     enclosing the ipset list in [...].
>>
>>     Example (/etc/shorewall/rules):
>>
>>         ACCEPT $FW net:+[dest-ip-map,dest-port-map]
>>   
> Converting the ''old'' format from
"$FW:!+dest-port[dst] net:+dest-net" to
> "$FW   net:+[dest-net,!dest-port]" gives me ERROR: Invalid DEST
> Converting the ''old'' format from
"$FW:+dest-port[dst] net:!+dest-net" to
> "$FW   net:+[!dest-net,dest-port]" gives me ERROR: Missing
'']'' (+[)
> Converting the ''old'' format from
"$FW:!+dest-port[dst] net:!+dest-net"
> to "$FW   net:!+[dest-net,dest-port]" gives me ERROR: An ipset
name
> (+[dest-net,dest-port]) is not allowed in this context
Short description: Exclusion in setlists doesn''t work.

Attached is a patch against /usr/share/shorewall/Shorewall/Chains.pm.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security 
easier or more difficult to achieve? Read this whitepaper to separate the 
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d

> Attached is a patch against /usr/share/shorewall/Shorewall/Chains.pm.
>   
Is the syntax I used correct (hence why I attached the ''long 
description'' - for your own benefit)?

I am particularly interested to know whether the double exclusion syntax 
is correct, i.e. !+port-map[dst] !+ip-map[dst] = !+[ip-map,port-map], or 
should I use +[!ip-map,!port-map]?


------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security 
easier or more difficult to achieve? Read this whitepaper to separate the 
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d

On 10/4/10 3:12 PM, Mr Dash Four wrote:
> 
>> Attached is a patch against /usr/share/shorewall/Shorewall/Chains.pm.
>>   
> Is the syntax I used correct (hence why I attached the ''long 
> description'' - for your own benefit)?
> 
> I am particularly interested to know whether the double exclusion syntax 
> is correct, i.e. !+port-map[dst] !+ip-map[dst] = !+[ip-map,port-map], or 
> should I use +[!ip-map,!port-map]?
Depends on what you want.

!+[ip-map,port-map] means that the packet does not match both sets (but
it may match one of the two sets).

+[!ip-map,!port-map] means that the packet does not match either set.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

> Depends on what you want.
>
> !+[ip-map,port-map] means that the packet does not match both sets (but
> it may match one of the two sets).
>
> +[!ip-map,!port-map] means that the packet does not match either set.
>   
You are right. Come to think of it, when I do not have exclusion (!), 
the comma symbol (,) between sets in brackets indicates logical AND (in 
other words, to have a packet match all sets specified in the brackets 
must also match), so following this:

!+[ipset1,ipset2...ipsetN] should be interpreted as NOT (ipset1 AND 
ipset2 AND ... ipsetN), which is the same as ipset1 OR ipset2 OR ... 
ipsetN - in other words match in either set produces a packet match.

Similarly +[!ipset1,!ipset2...!ipsetN) should be interpreted as (NOT 
ipset1) AND (NOT ipset2) ... AND (NOT ipsetN), which is the same as NOT 
(ipset1 OR ipset2 OR ... ipsetN) - in other words match in either set 
does NOT produce a packet match.

Does your patch reflects the above logic or should I refrain from 
applying it until you fix this?

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

On 10/4/10 6:09 PM, Mr Dash Four wrote:
> 
>> Depends on what you want.
>>
>> !+[ip-map,port-map] means that the packet does not match both sets (but
>> it may match one of the two sets).
>>
>> +[!ip-map,!port-map] means that the packet does not match either set.
>>   
> You are right. Come to think of it, when I do not have exclusion (!), 
> the comma symbol (,) between sets in brackets indicates logical AND (in 
> other words, to have a packet match all sets specified in the brackets 
> must also match), so following this:
> 
> !+[ipset1,ipset2...ipsetN] should be interpreted as NOT (ipset1 AND 
> ipset2 AND ... ipsetN), which is the same as ipset1 OR ipset2 OR ... 
> ipsetN - in other words match in either set produces a packet match.
> 
> Similarly +[!ipset1,!ipset2...!ipsetN) should be interpreted as (NOT 
> ipset1) AND (NOT ipset2) ... AND (NOT ipsetN), which is the same as NOT 
> (ipset1 OR ipset2 OR ... ipsetN) - in other words match in either set 
> does NOT produce a packet match.
> 
> Does your patch reflects the above logic or should I refrain from 
> applying it until you fix this?
What I wrote reflects the patch I sent.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

>>> Depends on what you want.
>>>
>>> !+[ip-map,port-map] means that the packet does not match both sets
(but
>>> it may match one of the two sets).
>>>
>>> +[!ip-map,!port-map] means that the packet does not match either
set.
>>>   
>>>       
>> You are right. Come to think of it, when I do not have exclusion (!), 
>> the comma symbol (,) between sets in brackets indicates logical AND (in
>> other words, to have a packet match all sets specified in the brackets 
>> must also match), so following this:
>>
>> !+[ipset1,ipset2...ipsetN] should be interpreted as NOT (ipset1 AND 
>> ipset2 AND ... ipsetN), which is the same as ipset1 OR ipset2 OR ... 
>> ipsetN - in other words match in either set produces a packet match.
>>
>> Similarly +[!ipset1,!ipset2...!ipsetN) should be interpreted as (NOT 
>> ipset1) AND (NOT ipset2) ... AND (NOT ipsetN), which is the same as NOT
>> (ipset1 OR ipset2 OR ... ipsetN) - in other words match in either set 
>> does NOT produce a packet match.
>>
>> Does your patch reflects the above logic or should I refrain from 
>> applying it until you fix this?
>>     
>
> What I wrote reflects the patch I sent.
>   
What does that mean exactly?

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

On 10/5/10 10:21 AM, Mr Dash Four wrote:
> 
>>>> Depends on what you want.
>>>>
>>>> !+[ip-map,port-map] means that the packet does not match both
sets (but
>>>> it may match one of the two sets).
>>>>
>>>> +[!ip-map,!port-map] means that the packet does not match
either set.
>>>>   
>>>>       
>>> You are right. Come to think of it, when I do not have exclusion
(!),
>>> the comma symbol (,) between sets in brackets indicates logical AND
(in
>>> other words, to have a packet match all sets specified in the
brackets
>>> must also match), so following this:
>>>
>>> !+[ipset1,ipset2...ipsetN] should be interpreted as NOT (ipset1 AND
>>> ipset2 AND ... ipsetN), which is the same as ipset1 OR ipset2 OR
...
>>> ipsetN - in other words match in either set produces a packet
match.
>>>
>>> Similarly +[!ipset1,!ipset2...!ipsetN) should be interpreted as
(NOT
>>> ipset1) AND (NOT ipset2) ... AND (NOT ipsetN), which is the same as
NOT
>>> (ipset1 OR ipset2 OR ... ipsetN) - in other words match in either
set
>>> does NOT produce a packet match.
>>>
>>> Does your patch reflects the above logic or should I refrain from 
>>> applying it until you fix this?
>>>     
>>
>> What I wrote reflects the patch I sent.
>>   
> What does that mean exactly?
It means that the patch works the way that I described, not the way that
you described.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

>>>>> !+[ip-map,port-map] means that the packet does not match
both sets (but
>>>>> it may match one of the two sets).
>>>>>
>>>>> +[!ip-map,!port-map] means that the packet does not match
either set.
>>>>>   
>>>>>       
>>>>>           
>>>> You are right. Come to think of it, when I do not have
exclusion (!),
>>>> the comma symbol (,) between sets in brackets indicates logical
AND (in
>>>> other words, to have a packet match all sets specified in the
brackets
>>>> must also match), so following this:
>>>>
>>>> !+[ipset1,ipset2...ipsetN] should be interpreted as NOT (ipset1
AND
>>>> ipset2 AND ... ipsetN), which is the same as ipset1 OR ipset2
OR ...
>>>> ipsetN - in other words match in either set produces a packet
match.
>>>>
>>>> Similarly +[!ipset1,!ipset2...!ipsetN) should be interpreted as
(NOT
>>>> ipset1) AND (NOT ipset2) ... AND (NOT ipsetN), which is the
same as NOT
>>>> (ipset1 OR ipset2 OR ... ipsetN) - in other words match in
either set
>>>> does NOT produce a packet match.
>>>>
>>>> Does your patch reflects the above logic or should I refrain
from
>>>> applying it until you fix this?
>>>>     
>>>>         
>>> What I wrote reflects the patch I sent.
>>>   
>>>       
>> What does that mean exactly?
>>     
>
> It means that the patch works the way that I described, not the way that
> you described.
>   
Could you describe it in a way that us, simple-minded, could understand 
please, as I am struggling with the cryptic one-liners you use in your 
''description'' (god forbid if you put that in a man page)? I
tried to
explain what I thought was a logical set of rules this to be built upon, 
but that, I see, went way over your head.

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

On 10/05/2010 11:42 AM, Mr Dash Four wrote:
> 
>>>>>> !+[ip-map,port-map] means that the packet does not
match both sets (but
>>>>>> it may match one of the two sets).
>>>>>>
>>>>>> +[!ip-map,!port-map] means that the packet does not
match either set.
>>>>>>   
>>>>>>       
>>>>>>           
>>>>> You are right. Come to think of it, when I do not have
exclusion (!),
>>>>> the comma symbol (,) between sets in brackets indicates
logical AND (in
>>>>> other words, to have a packet match all sets specified in
the brackets
>>>>> must also match), so following this:
>>>>>
>>>>> !+[ipset1,ipset2...ipsetN] should be interpreted as NOT
(ipset1 AND
>>>>> ipset2 AND ... ipsetN), which is the same as ipset1 OR
ipset2 OR ...
>>>>> ipsetN - in other words match in either set produces a
packet match.
>>>>>
>>>>> Similarly +[!ipset1,!ipset2...!ipsetN) should be
interpreted as (NOT
>>>>> ipset1) AND (NOT ipset2) ... AND (NOT ipsetN), which is the
same as NOT
>>>>> (ipset1 OR ipset2 OR ... ipsetN) - in other words match in
either set
>>>>> does NOT produce a packet match.
>>>>>
>>>>> Does your patch reflects the above logic or should I
refrain from
>>>>> applying it until you fix this?
>>>>>     
>>>>>         
>>>> What I wrote reflects the patch I sent.
>>>>   
>>>>       
>>> What does that mean exactly?
>>>     
>>
>> It means that the patch works the way that I described, not the way
that
>> you described.
>>   
> Could you describe it in a way that us, simple-minded, could understand 
> please, as I am struggling with the cryptic one-liners you use in your 
> ''description'' (god forbid if you put that in a man page)?
I tried to
> explain what I thought was a logical set of rules this to be built upon, 
> but that, I see, went way over your head.
Please forget the &^%$ patch. You will get my code when it is ready.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

>>>>>>> !+[ip-map,port-map] means that the packet does not
match both sets (but
>>>>>>> it may match one of the two sets).
>>>>>>>
>>>>>>> +[!ip-map,!port-map] means that the packet does not
match either set.
>>>>>>>   
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>> You are right. Come to think of it, when I do not have
exclusion (!),
>>>>>> the comma symbol (,) between sets in brackets indicates
logical AND (in
>>>>>> other words, to have a packet match all sets specified
in the brackets
>>>>>> must also match), so following this:
>>>>>>
>>>>>> !+[ipset1,ipset2...ipsetN] should be interpreted as NOT
(ipset1 AND
>>>>>> ipset2 AND ... ipsetN), which is the same as ipset1 OR
ipset2 OR ...
>>>>>> ipsetN - in other words match in either set produces a
packet match.
>>>>>>
>>>>>> Similarly +[!ipset1,!ipset2...!ipsetN) should be
interpreted as (NOT
>>>>>> ipset1) AND (NOT ipset2) ... AND (NOT ipsetN), which is
the same as NOT
>>>>>> (ipset1 OR ipset2 OR ... ipsetN) - in other words match
in either set
>>>>>> does NOT produce a packet match.
>>>>>>
>>>>>> Does your patch reflects the above logic or should I
refrain from
>>>>>> applying it until you fix this?
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> What I wrote reflects the patch I sent.
>>>>>   
>>>>>       
>>>>>           
>>>> What does that mean exactly?
>>>>     
>>>>         
>>> It means that the patch works the way that I described, not the way
that
>>> you described.
>>>   
>>>       
>> Could you describe it in a way that us, simple-minded, could understand
>> please, as I am struggling with the cryptic one-liners you use in your 
>> ''description'' (god forbid if you put that in a man
page)? I tried to
>> explain what I thought was a logical set of rules this to be built
upon,
>> but that, I see, went way over your head.
>>     
>
> Please forget the &^%$ patch. You will get my code when it is ready.
>   
When would that be - 4.4.14-Beta4, some further 4.4.14-Beta-X or the 
official release of 4.4.14?


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

On 10/5/10 12:05 PM, Mr Dash Four wrote:
>>   
> When would that be - 4.4.14-Beta4, some further 4.4.14-Beta-X or the 
> official release of 4.4.14?
Beta 4 -- hopefully by the end of the week.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb