thr3ads.net - Shorewall users - Possible problem with OPTIMIZE=1 [Jul 2010]

If this information is useful, please help other people find it:
Share via:

David Rothenberger

2010-Jul-09 19:50 UTC

Possible problem with OPTIMIZE=1

I noticed an issue today where a DROP rule at the top of my rules
was optimized out when OPTIMIZE=1. The rule was a wildcard rule and
I know category 1 optimization does remove those, but it has a
different log level, so I thought it would remain.

This is with shorewall version 4.4.10.3.

Here are the files:
----------------------------------------------------------------------
interfaces:
  net eth0
  loc eth1

zones:
  fw firewall
  net ipv4
  loc ipv4

policy:
  loc net ACCEPT
  net all DROP
  all all REJECT info

rules:
  DROP:info:BL net:1.1.1.1 all tcp smtp
  DNAT net loc:192.168.1.1 tcp smtp
----------------------------------------------------------------------

With OPTIMIZE=0, I get this:

% shorewall compile -v1 -e . - | grep -E ''(net2loc|log1)''
:log1 - [0:0]
:net2loc - [0:0]
-A FORWARD -i eth0 -o eth1 -j net2loc
-A log1 -j LOG --log-level 6 --log-prefix "Shorewall:net2loc:DROP:BL "
-A log1 -j DROP
-A net2loc -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A net2loc -p 6 --dport 25 -s 1.1.1.1 -g log1
-A net2loc -p 6 --dport 25 -d 192.168.1.1 -j ACCEPT
-A net2loc -g net2all

With OPTIMIZE=1, I get this:

% shorewall compile -v1 -e . - | grep net2loc
:net2loc - [0:0]
-A FORWARD -i eth0 -o eth1 -j net2loc
-A net2loc -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A net2loc -p 6 --dport 25 -d 192.168.1.1 -j ACCEPT
-A net2loc -g net2all

The difference is that with OPTIMIZE=0, smtp traffic from 1.1.1.1 is
dropped and logged. With OPTIMIZE=1, it is accepted.

Is this a bug?

-- 
David Rothenberger  ----  daveroth@acm.org

"Paul Lynde to block..."
                -- a contestant on "Hollywood Squares"

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

Tom Eastep

2010-Jul-10 04:04 UTC

head link

Re: Possible problem with OPTIMIZE=1

On 7/9/10 12:50 PM, David Rothenberger wrote:> I noticed an issue today where a DROP rule at the top of my rules
> was optimized out when OPTIMIZE=1. The rule was a wildcard rule and
> I know category 1 optimization does remove those, but it has a
> different log level, so I thought it would remain.
> 
> This is with shorewall version 4.4.10.3.
> 
> Here are the files:
> ----------------------------------------------------------------------
> interfaces:
>   net eth0
>   loc eth1
> 
> zones:
>   fw firewall
>   net ipv4
>   loc ipv4
> 
> policy:
>   loc net ACCEPT
>   net all DROP
>   all all REJECT info
> 
> rules:
>   DROP:info:BL net:1.1.1.1 all tcp smtp
>   DNAT net loc:192.168.1.1 tcp smtp
> ----------------------------------------------------------------------
> 
> With OPTIMIZE=0, I get this:
> 
> % shorewall compile -v1 -e . - | grep -E ''(net2loc|log1)''
> :log1 - [0:0]
> :net2loc - [0:0]
> -A FORWARD -i eth0 -o eth1 -j net2loc
> -A log1 -j LOG --log-level 6 --log-prefix "Shorewall:net2loc:DROP:BL
"
> -A log1 -j DROP
> -A net2loc -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> -A net2loc -p 6 --dport 25 -s 1.1.1.1 -g log1
> -A net2loc -p 6 --dport 25 -d 192.168.1.1 -j ACCEPT
> -A net2loc -g net2all
> 
> With OPTIMIZE=1, I get this:
> 
> % shorewall compile -v1 -e . - | grep net2loc
> :net2loc - [0:0]
> -A FORWARD -i eth0 -o eth1 -j net2loc
> -A net2loc -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
> -A net2loc -p 6 --dport 25 -d 192.168.1.1 -j ACCEPT
> -A net2loc -g net2all
> 
> The difference is that with OPTIMIZE=0, smtp traffic from 1.1.1.1 is
> dropped and logged. With OPTIMIZE=1, it is accepted.
> 
> Is this a bug?
> 
No. It is the way that OPTIMIZE=1 works; if a rule containing
''all''
matches the applicable policy, then the rule is omitted. To make this
work with OPTIMIZE=1, you must use:

	DROP!:info:BL net:1.1.1.1 all tcp smtp	

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

Shorewall users - Jul 2010 - Possible problem with OPTIMIZE=1

Possible problem with OPTIMIZE=1

Re: Possible problem with OPTIMIZE=1