Shorewall devel - Feb 2013 - Shorewall 4.5.13 RC 2

Given that RC 1 had serious out-of-the-box defects, I have uploaded RC 2:

1)  The various conntrack-state actions (New,Established,etc.) now
    compile without error.

2)  The logic that attempts to suppress state-related rules that cannot
    match has been corrected.

3)  The logic for combining adjacent rules that differ only in the
    ''conntrack'' states has been corrected.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

Tom

Using the same config. as for RC1 the following message is produced:

ERROR: syntax error at /usr/share/shorewall/action.Untracked line 47, near
")
{"

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

On 02/04/2013 09:01 AM, Steven Jan Springl wrote:
> Tom
> 
> Using the same config. as for RC1 the following message is produced:
> 
> ERROR: syntax error at /usr/share/shorewall/action.Untracked line 47, near
")
> {"
> 
Yep -- I inadvertently omitted ''Intracked'' from my new Action
test.
Patch attached.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

On 02/04/2013 09:57 AM, Tom Eastep wrote:
> Yep -- I inadvertently omitted ''Intracked'' from my new
Action test.
s/Intracked/Untracked/

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

On Monday 04 Feb 2013 17:57:53 Tom Eastep wrote:
> On 02/04/2013 09:01 AM, Steven Jan Springl wrote:
> > Tom
> > 
> > Using the same config. as for RC1 the following message is produced:
> > 
> > ERROR: syntax error at /usr/share/shorewall/action.Untracked line 47,
> > near ") {"
> 
> Yep -- I inadvertently omitted ''Intracked'' from my new
Action test.
> Patch attached.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

Tom

The attached config. generates the following iptables rules:

(1)  -A lan-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic
(2)  -A lan-fw -m conntrack --ctstate ESTABLISHED -j ACCEPT
(3)  -A lan-fw -m conntrack --ctstate RELATED -g A_ACCEPT
(4)  -A lan-fw -m conntrack --ctstate INVALID -g _lan-fw
(5)  -A lan-fw -m conntrack --ctstate UNTRACKED -g &lan-fw
(6)  -A lan-fw -p 17 --dport 123 -m conntrack --ctstate INVALID -m hashlimit 
--hashlimit-upto 4/sec --hashlimit-burst 8 --hashlimit-name lograte --
hashlimit-mode dstip -j LOG --log-level 4 --log-prefix
"Shorewall:lanfw:LOG:"
(7)  -A lan-fw -g all-all

Shorewall rule:

Invalid(LOG:warn)  lan  fw  udp 123

produces iptables rule (6) above.

As iptables rule (4) uses -g to branch to _lan-fw, when the _lan-fw chain 
finishes iptables will return to the INPUT chain and not lan-fw so iptables 
rule (6) will not be executed.

I have specified INVALID_DISPOSITION=CONTINUE

If any of the "PACKET DISPOSTION" parameters in shorewall.conf is set
to
CONTINUE, shouldn''t  ''-j'' be used instead of
''-g'' in the generated iptables
rule?

Steven.



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

On 02/04/2013 02:53 PM, Steven Jan Springl wrote:
> Tom
> 
> The attached config. generates the following iptables rules:
> 
> (1)  -A lan-fw -m conntrack --ctstate NEW,INVALID,UNTRACKED -j dynamic
> (2)  -A lan-fw -m conntrack --ctstate ESTABLISHED -j ACCEPT
> (3)  -A lan-fw -m conntrack --ctstate RELATED -g A_ACCEPT
> (4)  -A lan-fw -m conntrack --ctstate INVALID -g _lan-fw
> (5)  -A lan-fw -m conntrack --ctstate UNTRACKED -g &lan-fw
> (6)  -A lan-fw -p 17 --dport 123 -m conntrack --ctstate INVALID -m
hashlimit
> --hashlimit-upto 4/sec --hashlimit-burst 8 --hashlimit-name lograte --
> hashlimit-mode dstip -j LOG --log-level 4 --log-prefix
"Shorewall:lanfw:LOG:"
> (7)  -A lan-fw -g all-all
> 
> Shorewall rule:
> 
> Invalid(LOG:warn)  lan  fw  udp 123
> 
> produces iptables rule (6) above.
> 
> As iptables rule (4) uses -g to branch to _lan-fw, when the _lan-fw chain 
> finishes iptables will return to the INPUT chain and not lan-fw so iptables
> rule (6) will not be executed.
> 
> I have specified INVALID_DISPOSITION=CONTINUE
> 
> If any of the "PACKET DISPOSTION" parameters in shorewall.conf is
set to
> CONTINUE, shouldn''t  ''-j'' be used instead of
''-g'' in the generated iptables
> rule?
It should indeed; good catch!

Patch attached.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

On 02/04/2013 03:10 PM, Tom Eastep wrote:
>>
>> I have specified INVALID_DISPOSITION=CONTINUE
>>
>> If any of the "PACKET DISPOSTION" parameters in
shorewall.conf is set to
>> CONTINUE, shouldn''t  ''-j'' be used instead of
''-g'' in the generated iptables
>> rule?
> 
> It should indeed; good catch!
> 
> Patch attached.
> 
Even with that patch, a RETURN rule in the target chain won''t work
correctly with ''g''. The attached patch (which should be
applied after
PATCH 3) unconditionally uses -j'' in these rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

On Monday 04 Feb 2013 23:14:55 Tom Eastep wrote:
> On 02/04/2013 03:10 PM, Tom Eastep wrote:
> >> I have specified INVALID_DISPOSITION=CONTINUE
> >> 
> >> If any of the "PACKET DISPOSTION" parameters in
shorewall.conf is set to
> >> CONTINUE, shouldn''t  ''-j'' be used
instead of ''-g'' in the generated
> >> iptables rule?
> > 
> > It should indeed; good catch!
> > 
> > Patch attached.
> 
> Even with that patch, a RETURN rule in the target chain won''t work
> correctly with ''g''. The attached patch (which should be
applied after
> PATCH 3) unconditionally uses -j'' in these rules.
> 
> -Tom
Tom

Confirmed, the patches have fixed the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

> Given that RC 1 had serious out-of-the-box defects, I have uploaded RC 2:
>
> 1)  The various conntrack-state actions (New,Established,etc.) now
>     compile without error.
>
> 2)  The logic that attempts to suppress state-related rules that cannot
>     match has been corrected.
>
> 3)  The logic for combining adjacent rules that differ only in the
>     ''conntrack'' states has been corrected.
>
> Thank you for testing,
>   
Do I take RC2 and then apply UNTRACKED.patch, ACTIONS1.patch, 
JnotG.patch, JnotG1.patch and RETURNINSTATECHAIN.patch to do the testing?


------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

On 2/5/13 5:25 AM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>> Given that RC 1 had serious out-of-the-box defects, I have uploaded RC
>>2:
>>
>> 1)  The various conntrack-state actions (New,Established,etc.) now
>>     compile without error.
>>
>> 2)  The logic that attempts to suppress state-related rules that cannot
>>     match has been corrected.
>>
>> 3)  The logic for combining adjacent rules that differ only in the
>>     ''conntrack'' states has been corrected.
>>
>> Thank you for testing,
>>   
>Do I take RC2 and then apply UNTRACKED.patch, ACTIONS1.patch,
>JnotG.patch, JnotG1.patch and RETURNINSTATECHAIN.patch to do the testing?
Yes.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb