Shorewall devel - Dec 2011 - Shorewall 4.4.27 Beta 2

Beta 2 is now available for testing.

This version completes my planned consolidation of IPv4/IPv6 and
Standard/Lite. At this point:

      * There are no remaining IPv6-only code modules
      * The only code modules that are unique to the Standard or Lite
        environments are two new ones:
              * lib.cli-std - Used by Shorewall and Shorewall6
              * lib.cli-lite - Used by Shorewall Lite and Shorewall6
                Lite

There is one problem corrected:

1)  When TC_ENABLED=Shared, CLASSIFY rules could not previously be used
    in the tcrules file. Thanks to a patch from Chris Boot, this now
    works as expected.

New Features:

1)  Shorewall now supports the CT target in the Netfilter
''raw''
    table. See ''man shorewall-notrack'' for details.

    The main use of this target is described in this paper: 

http://home.regit.org/wp-content/uploads/2011/11/helper-recommandation.pdf.

    The paper a product of the vulnerability described in the 4.4.20
    Shorewall release note which introduced the ''sfilter''
facility. In
    the paper, rules such as the following are recommended:

          iptables -A PREROUTING -t raw -p tcp --dport 2121 \
               -d 1.2.3.4 -j CT --helper ftp

    The equivalent entry in /etc/shorewall/notrack would be:

        #ACTION          SOURCE   DEST   PROTO    DEST
        #                                         PORT(S)
        CT:helper:ftp    1.2.3.4  -      tcp      2121

3)  The above-referenced paper also advocates careful control of
    RELATED packets. To allow such control, two new options have been
    introduced in shorewall[6].conf:

    - RELATED_DISPOSITION

      May be ACCEPT, A_ACCEPT, A_DROP, A_REJECT, DROP or REJECT. For
      compatibility with earlier releases, the default is ACCEPT.
      This determines what happens to RELATED packets that fail to
      match any rule in the RELATED section of the rules file.

    - RELATED_LOG_LEVEL

      Specifies a level for logging related packets. Default is empty
      which means that no logging occurs.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/

Tom

The following capabilities are being incorrectly flagged as not available in 
the 4.4.27 capabilities file:

IPP2P_MATCH
LOGMARK_TARGET
IPMARK_TARGET
ACCOUNT_TARGET
AUDIT_TARGET
CONDITION_MATCH

I have attached capabilities files for 4.4.26 and 4.4.27.

Steven.



------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

On 12/11/11 2:45 PM, Steven Jan Springl wrote:
> Tom
> 
> The following capabilities are being incorrectly flagged as not available
in
> the 4.4.27 capabilities file:
> 
> IPP2P_MATCH
> LOGMARK_TARGET
> IPMARK_TARGET
> ACCOUNT_TARGET
> AUDIT_TARGET
> CONDITION_MATCH
> 
> I have attached capabilities files for 4.4.26 and 4.4.27.
>
Steven,

I''m unable to reproduce this failure; my kernel doesn''t
support
AUDIT_TARGET but the rest are detected properly.

Please look at the code in detect_capabilities() (lib.cli) and try one
of the failing cases manually. If that works, then I''d like to see
traces of the command on both releases.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

On Sunday 11 Dec 2011 23:23:20 Tom Eastep wrote:
> 
> I''m unable to reproduce this failure; my kernel doesn''t
support
> AUDIT_TARGET but the rest are detected properly.
> 
> Please look at the code in detect_capabilities() (lib.cli) and try one
> of the failing cases manually. If that works, then I''d like to see
> traces of the command on both releases.
> 
> Thanks,
> -Tom
Tom

I have attached traces for both releases.
From the traces it seems that 4.4.27 is using /sbin/iptables instead of 
/usr/local/sbin/iptables. 

I have also attached a copy of my shorewall.conf.

Steven.




------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

On 12/11/11 3:23 PM, Tom Eastep wrote:
> 
> I''m unable to reproduce this failure; my kernel doesn''t
support
> AUDIT_TARGET but the rest are detected properly.
> 
> Please look at the code in detect_capabilities() (lib.cli) and try one
> of the failing cases manually. If that works, then I''d like to see
> traces of the command on both releases.
> 
The ''show capabilities'' command, that is.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

On 12/11/11 4:03 PM, Steven Jan Springl wrote:
> 
> I have attached traces for both releases.
> From the traces it seems that 4.4.27 is using /sbin/iptables instead of 
> /usr/local/sbin/iptables. 
> 
> I have also attached a copy of my shorewall.conf.
Thanks, Steven

The reason mine worked and yours didn''t is that /usr/local/sbin/
appears
first in my PATH.

Patch is attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

On Monday 12 Dec 2011 00:23:28 Tom Eastep wrote:
> On 12/11/11 4:03 PM, Steven Jan Springl wrote:
> > I have attached traces for both releases.
> > From the traces it seems that 4.4.27 is using /sbin/iptables instead
of
> > /usr/local/sbin/iptables.
> > 
> > I have also attached a copy of my shorewall.conf.
> 
> Thanks, Steven
> 
> The reason mine worked and yours didn''t is that /usr/local/sbin/
appears
> first in my PATH.
> 
> Patch is attached.
> 
> -Tom
Tom

Confirmed, the patch corrects the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

On 12/11/11 4:35 PM, Steven Jan Springl wrote:
> 
> Confirmed, the patch corrects the issue.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure