Hi - I have an issue in shorewall6 using a provider with the "local" option - the intended use is ipv6 TPROXY for squid. The providers entry is: Squid 1 1 - lo - local When starting shorewall6, the compiled rule attempts to a route for 0.0.0.0/0 - however ip6tables rejects this as an invalid address. Looking at Shorewall/Providers.pm, 0.0.0.0/0 is hardcoded as the global address. I avoided the issue by adding an alternative Providers.pm with the address as ::0/0, and making the shorewall6 script refer to a copy of compiler.pl with adjusted include path to prefer this version. This isn''t particularly pretty as a fix! This was found on 4.4.17 (Debian wheezy''s), but it looks to me like it is also in 4.4.18-Beta1. I don''t know what the best proper fix would be. If this is an isolated example of ipv4/ipv6 compatibility trouble, then perhaps the global address could be supplied from the shorewall/shorewall6 scripts themselves, per the iptables command. If it isn''t, possibly a neater version of the include path selection I used would be better. If there is a consensus, I could concoct an appropriate patch. Regards, Dominic ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
On 2/13/11 5:48 AM, Dominic Benson wrote:> > I don''t know what the best proper fix would be. If this is an isolated > example of ipv4/ipv6 compatibility trouble, then perhaps the global > address could be supplied from the shorewall/shorewall6 scripts > themselves, per the iptables command. If it isn''t, possibly a neater > version of the include path selection I used would be better. If there > is a consensus, I could concoct an appropriate patch.The attached patch should fix you up. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
On 13 Feb 2011, at 16:08, Tom Eastep wrote:> On 2/13/11 5:48 AM, Dominic Benson wrote: > >> >> I don''t know what the best proper fix would be. If this is an isolated >> example of ipv4/ipv6 compatibility trouble, then perhaps the global >> address could be supplied from the shorewall/shorewall6 scripts >> themselves, per the iptables command. If it isn''t, possibly a neater >> version of the include path selection I used would be better. If there >> is a consensus, I could concoct an appropriate patch. > > The attached patch should fix you up.Thanks. I didn''t notice that sub; that tweak is considerably cleaner than mine!> > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
On 2/13/11 12:54 PM, Dominic Benson wrote:> > On 13 Feb 2011, at 16:08, Tom Eastep wrote: > >> On 2/13/11 5:48 AM, Dominic Benson wrote: >> >>> >>> I don''t know what the best proper fix would be. If this is an isolated >>> example of ipv4/ipv6 compatibility trouble, then perhaps the global >>> address could be supplied from the shorewall/shorewall6 scripts >>> themselves, per the iptables command. If it isn''t, possibly a neater >>> version of the include path selection I used would be better. If there >>> is a consensus, I could concoct an appropriate patch. >> >> The attached patch should fix you up. > > Thanks. I didn''t notice that sub; that tweak is considerably cleaner than mine!Let me know if you find other problems. I''ve not installed the IPv6 TPROXY patches so I haven''t even documented its options in the Shorewall6 manpages. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb