Shorewall devel - Dec 2010 - Shorewall 4.4.16 Beta 7

Beta 7 is now available for testing. I plan for this to be the final
4.4.16 Beta.

Problems Corrected:

1)  Problems with DNAT- used in an action reported by Steven Springl.

New Features:

1)  There is now support for parameterized actions. The parameters are
    available to extensions scripts. See
    http://www.shorewall.net/Actions.html#Extension for more
    information.

    Within the action body, the parameter values are available in $1,
    $2, etc.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

Tom

The attached minimal config. works with Beta 6 but produces the following 
message in Beta 7:

iptables-restore v1.4.10: Couldn''t load target 
`F2'':/usr/local/libexec/xtables/libipt_F2.so: cannot open shared object
file:
No such file or directory

The following nat rules were generated by action F2 in Beta6:

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:F2 - [0:0]
-A PREROUTING -i eth0 -p 6 -j F2
-A F2 -j REDIRECT
-A F2 -j DNAT --to-destination 0.0.0.0
-A F2 -j REDIRECT
-A F2 -j DNAT --to-destination 0.0.0.0
-A F2 -p 0 -j RETURN
COMMIT

In Beta 7 the following nat rules were generated:

nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p 6 -j F2
COMMIT

Steven.


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/27/10 6:32 AM, Steven Jan Springl wrote:
> The attached minimal config. works with Beta 6 but produces the following 
> message in Beta 7:
> 
> iptables-restore v1.4.10: Couldn''t load target 
> `F2'':/usr/local/libexec/xtables/libipt_F2.so: cannot open shared
object file:
> No such file or directory
> 
Steven,

The attached patch seems to correct the problem.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On Monday 27 December 2010 15:24:57 Tom Eastep wrote:
> Steven,
>
> The attached patch seems to correct the problem.
>
> Thanks,
> -Tom
Tom

I can confirm the patch works. Thanks.

Steven.

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/27/10 8:04 AM, Steven Jan Springl wrote:
> 
> I can confirm the patch works. Thanks.
Thanks, Steven

The second hunk of the attached patch is required to make logging in an
action that does NAT work correctly.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On Monday 27 December 2010 16:42:17 Tom Eastep wrote:
> On 12/27/10 8:04 AM, Steven Jan Springl wrote:
> > I can confirm the patch works. Thanks.
>
> Thanks, Steven
>
> The second hunk of the attached patch is required to make logging in an
> action that does NAT work correctly.
>
> -Tom
Tom

After applying the whole patch, the following error message is generated from 
the attached minimal config. If the COMMENT line is removed from the rules 
file, the error does not occur:

iptables-restore v1.4.10: Couldn''t load target 
`%F2'':/usr/local/libexec/xtables/libipt_%F2.so: cannot open shared
object
file: No such file or directory

Steven.


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/27/10 9:27 AM, Steven Jan Springl wrote:
> After applying the whole patch, the following error message is generated
from
> the attached minimal config. If the COMMENT line is removed from the rules 
> file, the error does not occur:
> 
> iptables-restore v1.4.10: Couldn''t load target 
> `%F2'':/usr/local/libexec/xtables/libipt_%F2.so: cannot open shared
object
> file: No such file or directory
The rules file you sent me contained no COMMENT. I added one before the
F2 rule but I still see no %F2 in the generated ruleset.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On Monday 27 December 2010 17:41:49 Tom Eastep wrote:
> On 12/27/10 9:27 AM, Steven Jan Springl wrote:
> > After applying the whole patch, the following error message is
generated
> > from the attached minimal config. If the COMMENT line is removed from
the
> > rules file, the error does not occur:
> >
> > iptables-restore v1.4.10: Couldn''t load target
> > `%F2'':/usr/local/libexec/xtables/libipt_%F2.so: cannot open
shared object
> > file: No such file or directory
>
> The rules file you sent me contained no COMMENT. I added one before the
> F2 rule but I still see no %F2 in the generated ruleset.
>
> -Tom
Tom

That''s strange I have just looked at the rules file in the attachement
and
there is a COMMENT line in there.

I have attached the config again.

Steven.

 


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/27/10 10:29 AM, Steven Jan Springl wrote:
> 
> That''s strange I have just looked at the rules file in the
attachement and
> there is a COMMENT line in there.
> 
> I have attached the config again.
Thanks Steven,

Please try the attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On Monday 27 December 2010 18:54:17 Tom Eastep wrote:
> On 12/27/10 10:29 AM, Steven Jan Springl wrote:
> > That''s strange I have just looked at the rules file in the
attachement
> > and there is a COMMENT line in there.
> >
> > I have attached the config again.
>
> Thanks Steven,
>
> Please try the attached.
>
> -Tom
Tom

That''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/27/10 3:36 PM, Steven Jan Springl wrote:
> 
> That''s fixed it. Thanks.
Thanks for confirming, Steven. That was actually an existing issue
regarding optimization.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

Tom

In the attached minimal config. action F1 calls action F2 and action F2 calls 
action F1. This results in the "Optimizing Ruleset" phase going into
an
endless loop.

Steven.


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/27/10 4:12 PM, Steven Jan Springl wrote:
> Tom
> 
> In the attached minimal config. action F1 calls action F2 and action F2
calls
> action F1. This results in the "Optimizing Ruleset" phase going
into an
> endless loop.
The attached patch catches this.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On Tuesday 28 December 2010 00:31:06 Tom Eastep wrote:
> On 12/27/10 4:12 PM, Steven Jan Springl wrote:
> > Tom
> >
> > In the attached minimal config. action F1 calls action F2 and action
F2
> > calls action F1. This results in the "Optimizing Ruleset"
phase going
> > into an endless loop.
>
> The attached patch catches this.
>
> Thanks,
> -Tom
Tom

It works for me too. Thanks.

Steven.


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

Tom

If an action is created with the name of an existing chain eg INPUT, OUTPUT, 
FORWARD or a Shorewall created chain eg tst2lan and a rule calls that action, 
the following message is produced:

ERROR: Internal error in Shorewall::Chains::new_chain 
at /usr/share/shorewall/Shorewall/Chains.pm line 1063 : /etc/shorewall5/rules 
(line 15)

The attached config. contains an example.

Steven.




------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/28/10 11:18 AM, Steven Jan Springl wrote:
> If an action is created with the name of an existing chain eg INPUT,
OUTPUT,
> FORWARD or a Shorewall created chain eg tst2lan and a rule calls that
action,
> the following message is produced:
> 
> ERROR: Internal error in Shorewall::Chains::new_chain 
> at /usr/share/shorewall/Shorewall/Chains.pm line 1063 :
/etc/shorewall5/rules
> (line 15)
> 
> The attached config. contains an example.
Please see if the attached patch solves this.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On Tuesday 28 December 2010 19:36:02 Tom Eastep wrote:
> On 12/28/10 11:18 AM, Steven Jan Springl wrote:
> > If an action is created with the name of an existing chain eg INPUT,
> > OUTPUT, FORWARD or a Shorewall created chain eg tst2lan and a rule
calls
> > that action, the following message is produced:
> >
> > ERROR: Internal error in Shorewall::Chains::new_chain
> > at /usr/share/shorewall/Shorewall/Chains.pm line 1063 :
> > /etc/shorewall5/rules (line 15)
> >
> > The attached config. contains an example.
>
> Please see if the attached patch solves this.
>
> Thanks, Steven
>
> -Tom
Tom

That''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

Tom

In shorewall.conf  BLACKLIST_DISPOSITION can be set to any value not just DROP 
or REJECT. If you set the value to name of any existing iptables chain then 
Shorewall will start without error.

I have attached a config. with an example.

Steven.


------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/29/10 3:45 PM, Steven Jan Springl wrote:
> Tom
> 
> In shorewall.conf  BLACKLIST_DISPOSITION can be set to any value not just
DROP
> or REJECT. If you set the value to name of any existing iptables chain then
> Shorewall will start without error.
This patch catches it.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On Thursday 30 December 2010 00:22:56 Tom Eastep wrote:
> This patch catches it.
Tom

Confirmed. Thanks.

Steven.

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl