Shorewall devel - Feb 2011 - Shorewall 4.4.17 RC 1

RC 1 is now available for testing.

Problems corrected:

1)  Previously, Shorewall did not check the length of the names of
    accounting chains and manual chains. This could result in
    errors when loading the resulting ruleset. Now, the compiler issues
    an error for chain names longer than 29 characters.

    Additionally, the compiler now ensures that these chain names are
    composed only of letters, digits, underscores (''_'') and
dashes
    ("-"). This eliminates Perl runtime errors or other failures when
a
    chain name is embedded within a regular expression.

2)  Several issues with complex traffic shaping have been resolved:

    a) Specifying IPv6 network addresses in the SOURCE or DEST columns
       of /etc/shorewall6/tcfilters now works correctly. Previously,
       Perl runtime warnings occurred and an invalid tc command was
       generated.

    b) Previously, if flow= was specified on a parent class, a perl
       runtime warning occurred and an invalid tc command was
       generated. This combination is now flagged as an error at
       compile time.

    c) There is now an ipv6 tcfilters skeleton included with
       Shorewall6.

3)  Several issues with accounting are corrected.

    a)  If an accounting rule of the form:

    	   chain1		 chain2

	was configured and neither chain was referenced again in the
	configuration, then an internal error was generated when
	optimize level 4 was selected and OPTIMIZE_ACCOUNTING=Yes.

    b)  If there was only a single accounting rule and that rule
    	specified an interface in the SOURCE or DEST columns, then the
    	generated ruleset would fail to load when
    	OPTIMIZE_ACCOUNTING=Yes.

    c)  If a per-IP accounting table name appeared in more than one
    	rule and the specified network was not the same in all
    	occurrences, then the generated ruleset would fail to load.

	This is now flagged as an error at compile time.

New Features:

1)  A ''show ipa'' command has been added to /sbin/shorewall. It
    displays each per-IP accounting table.

Thank you for testing,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical
server''s
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

Tom

The following accounting rule:

ACCOUNT(net2lan,192.168.0.0/24)  INPUT  eth0  eth1

produces the following error messages:

iptables v1.4.10: Can''t use -o with INPUT

ERROR: Command "/usr/local/sbin/iptables -A INPUT -i eth0 -o eth1 -j 
ACCOUNT --addr 192.168.0.0/24 --tname net2lan" Failed

-----------------------------------------------------------------------------------------------------------------

The following accounting rule:

ACCOUNT(net2lan,192.168.0.0/24)  OUTPUT  eth0  eth1

produces the following error messages:

iptables v1.4.10: Can''t use -i with OUTPUT

ERROR: Command "/usr/local/sbin/iptables -A OUTPUT -i eth0 -o eth1 -j 
ACCOUNT --addr 192.168.0.0/24 --tname net2lan" Failed

----------------------------------------------------------------------------------------------------------------

The following accounting rule:

ACCOUNT(net2lan,192.168.0.0/24)  -  eth0:~01-01-01-01-01-01  eth1

produces the following error messages:

iptables: Invalid argument. Run `dmesg'' for more information.

ERROR: Command "/usr/local/sbin/iptables -A accounting -i eth0 -o eth1
--match
mac --mac-source 01:01:01:01:01:01 -j ACCOUNT --addr 192.168.0.0/24 --tname 
net2lan" Failed

dmesg produces the following message:

[25368.580699] x_tables: ip_tables: mac match: used from hooks 
INPUT/FORWARD/OUTPUT, but only valid from PREROUTING/INPUT/FORWARD

Steven



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/7/11 3:02 PM, Steven Jan Springl wrote:
> Tom
> 
> The following accounting rule:
> 
> ACCOUNT(net2lan,192.168.0.0/24)  INPUT  eth0  eth1
> 
> produces the following error messages:
> 
> iptables v1.4.10: Can''t use -o with INPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A INPUT -i eth0 -o eth1 -j 
> ACCOUNT --addr 192.168.0.0/24 --tname net2lan" Failed
> 
>
-----------------------------------------------------------------------------------------------------------------
> 
> The following accounting rule:
> 
> ACCOUNT(net2lan,192.168.0.0/24)  OUTPUT  eth0  eth1
> 
> produces the following error messages:
> 
> iptables v1.4.10: Can''t use -i with OUTPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A OUTPUT -i eth0 -o eth1 -j 
> ACCOUNT --addr 192.168.0.0/24 --tname net2lan" Failed
> 
>
----------------------------------------------------------------------------------------------------------------
Those two are caught by b4b59119efc1499f823cb02f364b8049b61108f9.
> 
> The following accounting rule:
> 
> ACCOUNT(net2lan,192.168.0.0/24)  -  eth0:~01-01-01-01-01-01  eth1
> 
> produces the following error messages:
> 
> iptables: Invalid argument. Run `dmesg'' for more information.
> 
> ERROR: Command "/usr/local/sbin/iptables -A accounting -i eth0 -o eth1
--match
> mac --mac-source 01:01:01:01:01:01 -j ACCOUNT --addr 192.168.0.0/24 --tname
> net2lan" Failed
> 
> dmesg produces the following message:
> 
> [25368.580699] x_tables: ip_tables: mac match: used from hooks 
> INPUT/FORWARD/OUTPUT, but only valid from PREROUTING/INPUT/FORWARD
> 
I''m still trying to understand how I want to fix that.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/7/11 4:53 PM, Tom Eastep wrote:
> On 2/7/11 3:02 PM, Steven Jan Springl wrote:
>> The following accounting rule:
>>
>> ACCOUNT(net2lan,192.168.0.0/24)  -  eth0:~01-01-01-01-01-01  eth1
>>
>> produces the following error messages:
>>
>> iptables: Invalid argument. Run `dmesg'' for more information.
>>
>> ERROR: Command "/usr/local/sbin/iptables -A accounting -i eth0 -o
eth1 --match
>> mac --mac-source 01:01:01:01:01:01 -j ACCOUNT --addr 192.168.0.0/24
--tname
>> net2lan" Failed
>>
>> dmesg produces the following message:
>>
>> [25368.580699] x_tables: ip_tables: mac match: used from hooks 
>> INPUT/FORWARD/OUTPUT, but only valid from PREROUTING/INPUT/FORWARD
>>
I''ve decided to take a big stick to this one. Patch attached.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

I can confirm that both patches work.

-----------------------------------------------------------

Each of the following accounting rules:

ACCOUNT(net2lan,192.168.0.0/24)  ACCEPT  eth0  eth1
ACCOUNT(net2lan,192.168.0.0/24)  DROP  eth0  eth1
ACCOUNT(net2lan,192.168.0.0.24)  REJECT  eth0  eth1

produces the following error message:

ERROR: Internal error in Shorewall::Chains::new_chain 
at /usr/share/shorewall/Shorewall/Chains.pm line 
1067 : /etc/shorewallER/accounting (line 17)

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

The following accounting rules also produces the error:

ACCOUNT(net2lan,192.168.0.0/24)  LOG  eth0  eth1
ACCOUNT(net2lan,192.168.0.0/24)  NFLOG  eth0  eth1

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/8/11 3:24 PM, Steven Jan Springl wrote:
> Tom
> 
> The following accounting rules also produces the error:
> 
> ACCOUNT(net2lan,192.168.0.0/24)  LOG  eth0  eth1
> ACCOUNT(net2lan,192.168.0.0/24)  NFLOG  eth0  eth1
The attached patch should catch all such issues.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Tuesday 08 February 2011 23:39:56 Tom Eastep wrote:
> On 2/8/11 3:24 PM, Steven Jan Springl wrote:
> > Tom
> >
> > The following accounting rules also produces the error:
> >
> > ACCOUNT(net2lan,192.168.0.0/24)  LOG  eth0  eth1
> > ACCOUNT(net2lan,192.168.0.0/24)  NFLOG  eth0  eth1
>
> The attached patch should catch all such issues.
>
> -Tom
Tom

It catches all of them except:

ACCOUNT(net2lan,192.168.0.0/24)  NFLOG  eth0  eth1

and an additional one:

ACCOUNT(net2lan,192.168.0.0/24)  RETURN  eth0  eth1

Steven

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/8/11 3:53 PM, Steven Jan Springl wrote:
> 
> It catches all of them except:
> 
> ACCOUNT(net2lan,192.168.0.0/24)  NFLOG  eth0  eth1
> 
> and an additional one:
> 
> ACCOUNT(net2lan,192.168.0.0/24)  RETURN  eth0  eth1
Steven,

Please back out the prior patch and replace it with the attached.

Thanks!
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Wednesday 09 February 2011 00:46:57 Tom Eastep wrote:
> On 2/8/11 3:53 PM, Steven Jan Springl wrote:
> > It catches all of them except:
> >
> > ACCOUNT(net2lan,192.168.0.0/24)  NFLOG  eth0  eth1
> >
> > and an additional one:
> >
> > ACCOUNT(net2lan,192.168.0.0/24)  RETURN  eth0  eth1
>
> Steven,
>
> Please back out the prior patch and replace it with the attached.
>
> Thanks!
> -Tom
Tom

That patch catches them. However the following accounting rule:

ACCOUNT(net2lan,192.168.0.0/24)  PREROUTING  eth0  eth1

produces the following error messages from a ''shorewall
start'':

Use of uninitialized value in concatenation (.) or string 
at /usr/share/shorewall/Shorewall/Chains.pm line 4366.

iptables-restore v1.4.10: Can''t set policy `PREROUTING'' on
`[0:0]'' line 21:
Bad built-in chain name

A ''shorewall debug start'' produces these additional error
messages:

iptables: Bad built-in chain name.
ERROR: Command "/usr/local/sbin/iptables :PREROUTING [0:0] " Failed

----------------------------------------------------------------------------------------------------------------

Similarly, the following accounting rule:

ACCOUNT(net2lan,192.168.0.0/24)  POSTROUTING  eth0  eth1

produces the following error messages from a ''shorewall
start'':

Use of uninitialized value in concatenation (.) or string 
at /usr/share/shorewall/Shorewall/Chains.pm line 4366.

iptables-restore v1.4.10: Can''t set policy `POSTROUTING'' on
`[0:0]'' line 24:
Bad built-in chain name

A ''shorewall debug start'' produces these additional error
messages:

iptables: Bad built-in chain name.
ERROR: Command "/usr/local/sbin/iptables :POSTROUTING [0:0] " Failed

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/8/11 5:21 PM, Steven Jan Springl wrote:
> 
> That patch catches them. However the following accounting rule:
I''m not sure that this issue is completely solvable unless I insist
that
the Chain name have a lower-case letter, "-", "_'' or a
digit. The
netfilter developers are free to invent new built-in targets any time
that they wish but they seem to favor names in all caps.

So I''m going to add advice to the accounting manpages and let it go at
that.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/8/11 5:55 PM, Tom Eastep wrote:
> On 2/8/11 5:21 PM, Steven Jan Springl wrote:
> 
>>
>> That patch catches them. However the following accounting rule:
> 
> I''m not sure that this issue is completely solvable unless I
insist that
> the Chain name have a lower-case letter, "-", "_''
or a digit. The
> netfilter developers are free to invent new built-in targets any time
> that they wish but they seem to favor names in all caps.
> 
> So I''m going to add advice to the accounting manpages and let it
go at that.
Although, I will add this to address your immediate concern.

Thanks again, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Wednesday 09 February 2011 03:07:18 Tom Eastep wrote:
> On 2/8/11 5:55 PM, Tom Eastep wrote:
> > On 2/8/11 5:21 PM, Steven Jan Springl wrote:
> >> That patch catches them. However the following accounting rule:
> >
> > I''m not sure that this issue is completely solvable unless I
insist that
> > the Chain name have a lower-case letter, "-",
"_'' or a digit. The
> > netfilter developers are free to invent new built-in targets any time
> > that they wish but they seem to favor names in all caps.
> >
> > So I''m going to add advice to the accounting manpages and let
it go at
> > that.
>
> Although, I will add this to address your immediate concern.
>
> Thanks again, Steven
> -Tom
Tom

I can confirm that the patch works. Thanks.

-------------------------------------------------------------------

When the following accounting rules are specified:

test  -
test  test

A shorewall debug restart produces the following error messages:

iptables: Too many levels of symbolic links.
ERROR: Command "/usr/local/sbin/iptables -A test -j test" Failed

Steven.


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/9/11 12:54 PM, Steven Jan Springl wrote:
> 
> When the following accounting rules are specified:
> 
> test  -
> test  test
> 
> A shorewall debug restart produces the following error messages:
> 
> iptables: Too many levels of symbolic links.
> ERROR: Command "/usr/local/sbin/iptables -A test -j test" Failed
> 
This was non-trivial to fix in the general case where the loop involves
an indefinite number of chains. Patch attached.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Wednesday 09 February 2011 23:30:09 Tom Eastep wrote:
> On 2/9/11 12:54 PM, Steven Jan Springl wrote:
> > When the following accounting rules are specified:
> >
> > test  -
> > test  test
> >
> > A shorewall debug restart produces the following error messages:
> >
> > iptables: Too many levels of symbolic links.
> > ERROR: Command "/usr/local/sbin/iptables -A test -j test"
Failed
>
> This was non-trivial to fix in the general case where the loop involves
> an indefinite number of chains. Patch attached.
>
> Thanks, Steven
>
> -Tom
Tom

I can confirm the patch works. Thanks.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/9/11 4:12 PM, Steven Jan Springl wrote:
> 
> I can confirm the patch works. Thanks.
> 
Thanks, Steven

Do you plan to do additional testing of 4.4.17-RC1?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Thursday 10 February 2011 00:44:30 Tom Eastep wrote:
> On 2/9/11 4:12 PM, Steven Jan Springl wrote:
> > I can confirm the patch works. Thanks.
>
> Thanks, Steven
>
> Do you plan to do additional testing of 4.4.17-RC1?
>
> -Tom
Tom

There is only one oustanding issue that I know of.

There are still a large number of iptables targets (CHECKSUM, CLASSIFY, 
CONNSECMARK  etc) that if specified as the chain name in an accounting rule 
will cause an iptables-restore error.

If you are happy to live with this situation then my testing of 4.4.167-RC1 is 
complete.

If not, I will get a defintive list together for iptables, iptables6 & 
xtables-addons. 

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/9/11 5:36 PM, Steven Jan Springl wrote:
>> Do you plan to do additional testing of 4.4.17-RC1?
> There is only one oustanding issue that I know of.
> 
> There are still a large number of iptables targets (CHECKSUM, CLASSIFY, 
> CONNSECMARK  etc) that if specified as the chain name in an accounting rule
> will cause an iptables-restore error.
> 
> If you are happy to live with this situation then my testing of 4.4.167-RC1
is
> complete.
> 
> If not, I will get a defintive list together for iptables, iptables6 & 
> xtables-addons. 
As I mentioned earlier, the Netfilter team are always busy inventing new
targets; so we''ll never be foolproof on all systems. I''ve
updated the
accounting manpages with advice to include lower-case, digits,
''-'' or
''_'' in accounting chain names. I think that is enough.

Thanks!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/9/11 5:42 PM, Tom Eastep wrote:
> 
> As I mentioned earlier, the Netfilter team are always busy inventing new
> targets; so we''ll never be foolproof on all systems. I''ve
updated the
> accounting manpages with advice to include lower-case, digits,
''-'' or
> ''_'' in accounting chain names. I think that is enough.
> 
FWIW, I''ve commited the attached patch for 4.4.18.

Thanks again, Steven, for all of your help.
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Thursday 10 February 2011 21:10:03 Tom Eastep wrote:
> On 2/9/11 5:42 PM, Tom Eastep wrote:
> > As I mentioned earlier, the Netfilter team are always busy inventing
new
> > targets; so we''ll never be foolproof on all systems.
I''ve updated the
> > accounting manpages with advice to include lower-case, digits,
''-'' or
> > ''_'' in accounting chain names. I think that is
enough.
>
> FWIW, I''ve commited the attached patch for 4.4.18.
>
> Thanks again, Steven, for all of your help.
> -Tom
Tom

There are some additional ip(6)tables targets not included in your patch:

CHECKSUM
CT
IDLETIMER
RATEEST  (this was listed as RATTEST in your patch)
TCPMSS
TEE
TPROXY

There are also the following xtables-addons targets:

ACCOUNT
CHAOS
DELUDE
DHCPMAC
ECHO
IPMARK
LOGMARK
RAWDNAT
RAWSNAT
STEAL
SYSRQ
TARPIT

I have attached a patch to add these targets to Chains.pm

Steven.



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/11/11 5:01 PM, Steven Jan Springl wrote:
> 
> I have attached a patch to add these targets to Chains.pm
> 
Applied.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb