Hi, today I tried out the new IPv6 support in the new 4.2.4 and it seems to work well in most parts (although I didn''t test it thoroughly yet). Nice work, and at the right time since we are starting to implement IPv6 here right now :-) However, I found (and partially fixed) some minor problems with it. 1. "routestopped" doesn''t work at all ------------------------------------- It looks as if the perl compiler doesn''t yet correctly support IPv6 in the routestopped config file. I tried different syntaxes, with and without "<>" around the address. In the case with "<>" it complains about an invalid IPv6 address, in the other case it looks as if it tries to resolve the first part of the address (up to the first ":") as a hostname and complains that it can''t find the host. I didn''t dig deeper into this problem since it isn''t critical for me at the moment. 2. "shorewall6 safe-*" doesn''t work ----------------------------------- Due to some errors in lib.cli, the old ip6tables rules aren''t saved in the first place when trying safe-start or safe-restart. These are fixed in the first attached patch (shorewall6-4.2.4-fixes.patch, against shorewall6 package). Also, after applying the fix, another problem surfaces. The "real" rules are correctly restored when answering "n" to the question, however the special "shorewall" chain is not restored, so shorewall6 thinks it isn''t running from thereon, and a second "safe-restart" doesn''t save the rules anymore (and subsequently runs "shorewall6 clear" when answering "n"). This is due to the compiler erroneously emitting "$IPTABLES_RESTORE" instead of "$IP6TABLES_RESTORE" into the restore script. This problem is fixed with the second patch (shorewall-perl-4.2.4-ipv6fixes.patch, against shorewall-perl package). Andreas -- Andreas Ferber | MarcanT Internet-Services GmbH Systemadministration | Ravensberger Str. 10G, D-33602 Bielefeld aferber@marcant.net | Geschaeftsfuehrer: Thorsten Hojas USt-ID Nr.: DE 190203238 | Handelsregister: Amtsgericht Bielefeld, HRB 35 827 ___________________________________________________________ CONFIDENTIALITY NOTICE The contents of this email are confidential to the ordinary user of the email address to which it was addressed and may also be privileged. If you are not the addressee of this email you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. If you have received this email in error please email the sender by replying to this message. ------------------------------------------------------------------------------
Andreas Ferber wrote:> Hi, > > today I tried out the new IPv6 support in the new 4.2.4 and it seems > to work well in most parts (although I didn''t test it thoroughly yet). > Nice work, and at the right time since we are starting to implement > IPv6 here right now :-) > > However, I found (and partially fixed) some minor problems with it. > > 1. "routestopped" doesn''t work at all > ------------------------------------- > > It looks as if the perl compiler doesn''t yet correctly support IPv6 in > the routestopped config file. I tried different syntaxes, with and > without "<>" around the address. In the case with "<>" it complains > about an invalid IPv6 address, in the other case it looks as if it > tries to resolve the first part of the address (up to the first ":") > as a hostname and complains that it can''t find the host. > > I didn''t dig deeper into this problem since it isn''t critical for me > at the moment.I can''t reproduce this problem; routestopped works fine for me. Can you give us some examples of the failures that you are seeing?> > 2. "shorewall6 safe-*" doesn''t work > ----------------------------------- > > Due to some errors in lib.cli, the old ip6tables rules aren''t saved in > the first place when trying safe-start or safe-restart. These are > fixed in the first attached patch (shorewall6-4.2.4-fixes.patch, > against shorewall6 package). > > Also, after applying the fix, another problem surfaces. The "real" > rules are correctly restored when answering "n" to the question, > however the special "shorewall" chain is not restored, so shorewall6 > thinks it isn''t running from thereon, and a second "safe-restart" > doesn''t save the rules anymore (and subsequently runs "shorewall6 > clear" when answering "n"). This is due to the compiler erroneously > emitting "$IPTABLES_RESTORE" instead of "$IP6TABLES_RESTORE" into the > restore script. This problem is fixed with the second patch > (shorewall-perl-4.2.4-ipv6fixes.patch, against shorewall-perl package). >Applied -- thanks. ------------------------------------------------------------------------------
On Wed, Dec 31, 2008 at 08:17:35AM -0800, Shorewall Guy wrote:> > > > 1. "routestopped" doesn''t work at all > > ------------------------------------- > > > > It looks as if the perl compiler doesn''t yet correctly support IPv6 in > > the routestopped config file. I tried different syntaxes, with and > > without "<>" around the address. In the case with "<>" it complains > > about an invalid IPv6 address, in the other case it looks as if it > > tries to resolve the first part of the address (up to the first ":") > > as a hostname and complains that it can''t find the host. > > > > I didn''t dig deeper into this problem since it isn''t critical for me > > at the moment. > I can''t reproduce this problem; routestopped works fine for me. Can you > give us some examples of the failures that you are seeing?Further testing reveals that this seems to only apply to lines that have the "critical" option set. The following line: ------------ eth3 2a00:f88:ffff:ffff::/64 critical ------------ yields this (last lines of "shorewall6 check"): ------------ Checking /etc/shorewall6/routestopped for critical hosts... ERROR: Unknown Host (2a00) ------------ With a single host instead of a prefix, the error is the same. If I remove the "critical", it seems to work fine. Andreas -- Andreas Ferber | MarcanT Internet-Services GmbH Systemadministration | Ravensberger Str. 10G, D-33602 Bielefeld aferber@marcant.net | Geschaeftsfuehrer: Thorsten Hojas USt-ID Nr.: DE 190203238 | Handelsregister: Amtsgericht Bielefeld, HRB 35 827 ___________________________________________________________ CONFIDENTIALITY NOTICE The contents of this email are confidential to the ordinary user of the email address to which it was addressed and may also be privileged. If you are not the addressee of this email you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. If you have received this email in error please email the sender by replying to this message. ------------------------------------------------------------------------------
Andreas Ferber wrote:> > Further testing reveals that this seems to only apply to lines that > have the "critical" option set. >Please see if the attached patch corrects the problem. ------------------------------------------------------------------------------
Hi, On Wed, Dec 31, 2008 at 08:52:54PM -0800, Shorewall Guy wrote:> Andreas Ferber wrote: > > > > Further testing reveals that this seems to only apply to lines that > > have the "critical" option set. > Please see if the attached patch corrects the problem.Yes, that does the trick. Thanks for fixing problems so fast :-) Andreas -- Andreas Ferber | MarcanT Internet-Services GmbH Systemadministration | Ravensberger Str. 10G, D-33602 Bielefeld aferber@marcant.net | Geschaeftsfuehrer: Thorsten Hojas USt-ID Nr.: DE 190203238 | Handelsregister: Amtsgericht Bielefeld, HRB 35 827 ___________________________________________________________ CONFIDENTIALITY NOTICE The contents of this email are confidential to the ordinary user of the email address to which it was addressed and may also be privileged. If you are not the addressee of this email you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. If you have received this email in error please email the sender by replying to this message. ------------------------------------------------------------------------------