Shorewall devel - May 2013 - Shorewall 4.5.17 RC 2

RC 2 is now available for testing.

Problems corrected since 4.5.17 RC 1:

1)  Previously, conntrack helpers were enabled by the ''stop''
    command. Now, these helpers are only enabled by the
''clear''
    command.

2)  Previously, a ''virtual'' interface (e.g., dev:N) could be
specified
    as the ''physical'' interface in /etc/shorewall/interfaces.
This
    is now disallowed.

New/Changed Features since 4.5.17 RC 1:

1)  Traditionally, Shorewall has treated the loopback interface
(''lo'')
    as follows:

    - It deals with firewall-to-firewall, firewall-to-vserver,
      vserver-to-firewall, and vserver-to-vserver traffic.
    - All filtering is done in the OUTPUT flow; all traffic arriving on
      ''lo'' is silently accepted.
    - If no firewall-to-firewall policy or rules are defined, then
      a simple ACCEPT rule is also included in the OUTPUT chain for
      ''lo'' (after any vserver-oriented jumps).

    Beginning with this release, the handling of firewall-to-firewall
    traffic can be altered by adding a zone of type
''loopback''.

    - ''loopback'' zones must be associated with the loopback
device in
      the interfaces and/or hosts file.

      /etc/shorewall/zones

      #ZONE	TYPE
      loop	loopback

      /etc/shorewall/interfaces

      ?FORMAT 2
      #ZONE   INTERFACE		OPTIONS
      loop    lo		...

      When this is done, the ACCEPT jumps for ''lo'' in the
INPUT and
      OUTPUT chains are omitted and replaced with jumps to the loop2fw
      and fw2loop (loop-fw and fw-lop) chains respectively. This
      provides a model similar to other zones for fireall-to-firewall
      traffic.

2)  A new ''local'' zone TYPE has been added to
/etc/shorewall[6]/zones.
    A ''local'' zone is similar to an ''ipv4''
(''ipv6'') zone, except that
    rules and policies to/from a ''local'' zone may only be
to/from the
    firewall zone, vserver zones or other ''local'' zones.

3)  Previously, expensive matches such as ''-m set'' and
''-m geoip'' could
    appear near the front of a rule. Now they appear at the end, unless
    ''-m nfacct'' matches are present in the rule.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Tom Eastep wrote:
> 2)  A new ''local'' zone TYPE has been added to
/etc/shorewall[6]/zones.
>     A ''local'' zone is similar to an
''ipv4'' (''ipv6'') zone, except that
>     rules and policies to/from a ''local'' zone may only be
to/from the
>     firewall zone, vserver zones or other ''local'' zones.
>   
What happens if I need these "local" zones to be completely isolated?
In
other words, if I define "local1" and "local2" and wish to
completely
isolate the traffic on these 2 local zones (in other words, ask 
shorewall to manage traffic only in fw2local1, local12fw, fw2local2 and 
local22fw, but *not* local12local2 or local22local1), what then?


------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

On 05/26/2013 06:12 PM, Dash Four wrote:
> 
> Tom Eastep wrote:
>> 2)  A new ''local'' zone TYPE has been added to
/etc/shorewall[6]/zones.
>>     A ''local'' zone is similar to an
''ipv4'' (''ipv6'') zone, except that
>>     rules and policies to/from a ''local'' zone may
only be to/from the
>>     firewall zone, vserver zones or other ''local''
zones.
>>   
> What happens if I need these "local" zones to be completely
isolated? In
> other words, if I define "local1" and "local2" and wish
to completely
> isolate the traffic on these 2 local zones (in other words, ask 
> shorewall to manage traffic only in fw2local1, local12fw, fw2local2 and 
> local22fw, but *not* local12local2 or local22local1), what then?
> 
Define those policies as NONE.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Tom Eastep wrote:
> On 05/26/2013 06:12 PM, Dash Four wrote:
>   
>> Tom Eastep wrote:
>>     
>>> 2)  A new ''local'' zone TYPE has been added to
/etc/shorewall[6]/zones.
>>>     A ''local'' zone is similar to an
''ipv4'' (''ipv6'') zone, except that
>>>     rules and policies to/from a ''local'' zone may
only be to/from the
>>>     firewall zone, vserver zones or other ''local''
zones.
>>>   
>>>       
>> What happens if I need these "local" zones to be completely
isolated? In
>> other words, if I define "local1" and "local2" and
wish to completely
>> isolate the traffic on these 2 local zones (in other words, ask 
>> shorewall to manage traffic only in fw2local1, local12fw, fw2local2 and
>> local22fw, but *not* local12local2 or local22local1), what then?
>>
>>     
>
> Define those policies as NONE.
>   
Right, so every time I add a local zone, then I have to manually update 
the policy file and insert NONE for every conceivable combination 
between all my other local zones? As if I am going to do that...


------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

On 05/26/2013 07:01 PM, Dash Four wrote:
> 
> Tom Eastep wrote:
>> On 05/26/2013 06:12 PM, Dash Four wrote:
>>   
>>> Tom Eastep wrote:
>>>     
>>>> 2)  A new ''local'' zone TYPE has been added to
/etc/shorewall[6]/zones.
>>>>     A ''local'' zone is similar to an
''ipv4'' (''ipv6'') zone, except that
>>>>     rules and policies to/from a ''local'' zone
may only be to/from the
>>>>     firewall zone, vserver zones or other
''local'' zones.
>>>>   
>>>>       
>>> What happens if I need these "local" zones to be
completely isolated? In
>>> other words, if I define "local1" and "local2"
and wish to completely
>>> isolate the traffic on these 2 local zones (in other words, ask 
>>> shorewall to manage traffic only in fw2local1, local12fw, fw2local2
and
>>> local22fw, but *not* local12local2 or local22local1), what then?
>>>
>>>     
>>
>> Define those policies as NONE.
>>   
> Right, so every time I add a local zone, then I have to manually update 
> the policy file and insert NONE for every conceivable combination 
> between all my other local zones? As if I am going to do that...
Give me a break; I have arthritic hands and I type all day long.

So buck up and use your fingers, Mr-4; because when it comes to
Shorewall, my keystrokes are much more valuable than yours.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Tom Eastep wrote:
> So buck up and use your fingers, Mr-4; because when it comes to
> Shorewall, my keystrokes are much more valuable than yours.
>   
Why don''t you take the above, put it in your bloody pipe and smoke it?
I
am not going to take any advice, particularly from you, on what to do 
and how much I am going to bloody type, so kindly do one! As for your 
arthritis - I couldn''t care less to be honest, so there.

------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

On 05/27/2013 12:20 AM, Dash Four wrote:
> 
> Tom Eastep wrote:
>> So buck up and use your fingers, Mr-4; because when it comes to
>> Shorewall, my keystrokes are much more valuable than yours.
>>   
> Why don''t you take the above, put it in your bloody pipe and smoke
it? I
> am not going to take any advice, particularly from you, on what to do 
> and how much I am going to bloody type, so kindly do one! As for your 
> arthritis - I couldn''t care less to be honest, so there.
I''m not surprised.

Apply the attached long overdue patch, then put this at the top of your
policy file.

?BEGIN PERL
use Shorewall::Zones;
use strict;

for my $z1 ( local_zones ) {
    for my $z2 ( local_zones ) {
        shorewall "$z1	     $z2	NONE" unless $z1 eq $z2;
    }
}

1;

?END PERL

Now, if you have two or ten thousand local zones, there will be no
locala2localb chains created.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

On 05/27/2013 06:42 AM, Tom Eastep wrote:
> On 05/27/2013 12:20 AM, Dash Four wrote:
>>
>> Tom Eastep wrote:
>>> So buck up and use your fingers, Mr-4; because when it comes to
>>> Shorewall, my keystrokes are much more valuable than yours.
>>>   
>> Why don''t you take the above, put it in your bloody pipe and
smoke it? I
>> am not going to take any advice, particularly from you, on what to do 
>> and how much I am going to bloody type, so kindly do one! As for your 
>> arthritis - I couldn''t care less to be honest, so there.
> 
> I''m not surprised.
> 
> Apply the attached long overdue patch, then put this at the top of your
> policy file.
> 
> ?BEGIN PERL
> use Shorewall::Zones;
> use strict;
> 
> for my $z1 ( local_zones ) {
>     for my $z2 ( local_zones ) {
>         shorewall "$z1	     $z2	NONE" unless $z1 eq $z2;
>     }
> }
> 
> 1;
> 
> ?END PERL
> 
> Now, if you have two or ten thousand local zones, there will be no
> locala2localb chains created.
Or apply this patch and be done with it. If someone wants to forward
between local zones in the future, I''ll add a config option to allow
it.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

On 05/27/2013 05:20 PM, Dash Four wrote:
> Tom Eastep wrote:
>> >So buck up and use your fingers, Mr-4; because when it comes to
>> >Shorewall, my keystrokes are much more valuable than yours.
>> >   
> Why don''t you take the above, put it in your bloody pipe and smoke
it? I
> am not going to take any advice, particularly from you, on what to do
> and how much I am going to bloody type, so kindly do one! As for your
> arthritis - I couldn''t care less to be honest, so there.
Mr. Dash Four,

You have been repeatedly warned about your poor attitude and manners.  
Your toxic influence on the Shorewall project will not be tolerated.  If 
there isn''t an immediate improvement, your posts will be moderated on 
all Shorewall lists for a minimum of one week initially, with longer 
bans for repeated undesirable behaviour.

Regards,
Paul

------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

On Sun, 26 May 2013 18:01:16 -0700
Tom Eastep <teastep@shorewall.net> wrote:
> 2)  Previously, a ''virtual'' interface (e.g., dev:N) could
be specified
>     as the ''physical'' interface in
/etc/shorewall/interfaces. This
>     is now disallowed.
Id''s suggest technically more correct wording for release notes:

 2)  Previously, a interface label (e.g., dev:N) could be specified
     as the ''physical'' interface in /etc/shorewall/interfaces.
This
     is now disallowed.


-- 
Tuomo Soini <tis@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

On 5/27/13 10:52 PM, "Tuomo Soini" <tis@foobar.fi> wrote:
>On Sun, 26 May 2013 18:01:16 -0700
>Tom Eastep <teastep@shorewall.net> wrote:
>
>> 2)  Previously, a ''virtual'' interface (e.g., dev:N)
could be specified
>>     as the ''physical'' interface in
/etc/shorewall/interfaces. This
>>     is now disallowed.
>
>Id''s suggest technically more correct wording for release notes:
>
> 2)  Previously, a interface label (e.g., dev:N) could be specified
>     as the ''physical'' interface in
/etc/shorewall/interfaces. This
>     is now disallowed.
Will do.

Thanks,
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

On 05/27/2013 07:30 AM, Tom Eastep wrote:
> On 05/27/2013 06:42 AM, Tom Eastep wrote:
>> On 05/27/2013 12:20 AM, Dash Four wrote:
>>>
>>> Tom Eastep wrote:
>>>> So buck up and use your fingers, Mr-4; because when it comes to
>>>> Shorewall, my keystrokes are much more valuable than yours.
>>>>   
>>> Why don''t you take the above, put it in your bloody pipe
and smoke it? I
>>> am not going to take any advice, particularly from you, on what to
do
>>> and how much I am going to bloody type, so kindly do one! As for
your
>>> arthritis - I couldn''t care less to be honest, so there.
>>
>> I''m not surprised.
>>
>> Apply the attached long overdue patch, then put this at the top of your
>> policy file.
>>
>> ?BEGIN PERL
>> use Shorewall::Zones;
>> use strict;
>>
>> for my $z1 ( local_zones ) {
>>     for my $z2 ( local_zones ) {
>>         shorewall "$z1	     $z2	NONE" unless $z1 eq $z2;
>>     }
>> }
>>
>> 1;
>>
>> ?END PERL
>>
>> Now, if you have two or ten thousand local zones, there will be no
>> locala2localb chains created.
> 
> Or apply this patch and be done with it. If someone wants to forward
> between local zones in the future, I''ll add a config option to
allow it.
This additional patch corrects generation of warnings for local->local
forwarding rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Tom Eastep wrote:
> 1)  Traditionally, Shorewall has treated the loopback interface
(''lo'')
>     as follows:
>
>     - It deals with firewall-to-firewall, firewall-to-vserver,
>       vserver-to-firewall, and vserver-to-vserver traffic.
>     - All filtering is done in the OUTPUT flow; all traffic arriving on
>       ''lo'' is silently accepted.
>     - If no firewall-to-firewall policy or rules are defined, then
>       a simple ACCEPT rule is also included in the OUTPUT chain for
>       ''lo'' (after any vserver-oriented jumps).
>
>     Beginning with this release, the handling of firewall-to-firewall
>     traffic can be altered by adding a zone of type
''loopback''.
>
>     - ''loopback'' zones must be associated with the
loopback device in
>       the interfaces and/or hosts file.
>   
interfaces
~~~~~~~~~~
loc lo

zones
~~~~~
fw      firewall
loc     ipv4

ERROR: Only a local zone may be assigned to ''lo''

zones
~~~~~
fw      firewall
loc     local

ERROR: No IP zones defined

This was encountered in RC1, don''t know whether the same issue persist 
in RC2. I should be able to configure fw and a local zone only, without 
having shorewall wining like a little bitch. Also, the definition (and 
use) of ICMPv6 codes in shorewall is wrong:

 From shorewall''s man page (that is also how the rules are emitted in 
"firewall"):

ICMPv6:
destination-unreachable       => 1
   no-route''                  => 1/0
   communication-prohibited   => 1/1
   address-unreachable''       => 1/2
   port-unreachable''          => 1/3

The correct set of "destination-unreachable" ICMPv6 codes are as
follows:

ICMPv6 destination unreachable (type 1):

1/0     no route to destination
1/1     communication with destination administratively prohibited
1/2     beyond scope of source address
1/3     address unreachable
1/4     port unreachable
1/5     source address failed ingress/egress policy
1/6     reject route to destination
1/7     Error in Source Routing Header


------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

On 05/28/2013 07:05 AM, Dash Four wrote:
> 
> Tom Eastep wrote:
>> 1)  Traditionally, Shorewall has treated the loopback interface
(''lo'')
>>     as follows:
>>
>>     - It deals with firewall-to-firewall, firewall-to-vserver,
>>       vserver-to-firewall, and vserver-to-vserver traffic.
>>     - All filtering is done in the OUTPUT flow; all traffic arriving on
>>       ''lo'' is silently accepted.
>>     - If no firewall-to-firewall policy or rules are defined, then
>>       a simple ACCEPT rule is also included in the OUTPUT chain for
>>       ''lo'' (after any vserver-oriented jumps).
>>
>>     Beginning with this release, the handling of firewall-to-firewall
>>     traffic can be altered by adding a zone of type
''loopback''.
>>
>>     - ''loopback'' zones must be associated with the
loopback device in
>>       the interfaces and/or hosts file.
>>   
> interfaces
> ~~~~~~~~~~
> loc lo
> 
> zones
> ~~~~~
> fw      firewall
> loc     ipv4
> 
> ERROR: Only a local zone may be assigned to ''lo''
> 
> zones
> ~~~~~
> fw      firewall
> loc     local
> 
> ERROR: No IP zones defined
> 
> This was encountered in RC1, don''t know whether the same issue
persist
> in RC2. I should be able to configure fw and a local zone only, without 
> having shorewall wining like a little bitch. Also, the definition (and 
> use) of ICMPv6 codes in shorewall is wrong:
> 
>  From shorewall''s man page (that is also how the rules are emitted
in
> "firewall"):
> 
> ICMPv6:
> destination-unreachable       => 1
>    no-route''                  => 1/0
>    communication-prohibited   => 1/1
>    address-unreachable''       => 1/2
>    port-unreachable''          => 1/3
> 
> The correct set of "destination-unreachable" ICMPv6 codes are as
follows:
> 
> ICMPv6 destination unreachable (type 1):
> 
> 1/0     no route to destination
> 1/1     communication with destination administratively prohibited
> 1/2     beyond scope of source address
> 1/3     address unreachable
> 1/4     port unreachable
> 1/5     source address failed ingress/egress policy
> 1/6     reject route to destination
> 1/7     Error in Source Routing Header
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Tom Eastep wrote:
> Thank you for testing,
>   
masq
~~~~
eth0:0:+outside-hosts[dst,dst] +private-net 10.11.1.2

when ADD_IP_ALIASES=No and ADD_SNAT_ALIASES=No the above statement 
passes without a hint of an error or a warning. Even if I do 
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes, the appropriate 
"del_ip_addr" and "add_ip_aliases" are added to the
resulting "firewall"
file, but the above statement is completely ignored by shorewall and 
nothing is added in my nat table to masquerade this connection.

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

Dash Four wrote:
>
> Tom Eastep wrote:
>> Thank you for testing,
>>   
> masq
> ~~~~
> eth0:0:+outside-hosts[dst,dst] +private-net 10.11.1.2
>
> when ADD_IP_ALIASES=No and ADD_SNAT_ALIASES=No the above statement 
> passes without a hint of an error or a warning. Even if I do 
> ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes, the appropriate 
> "del_ip_addr" and "add_ip_aliases" are added to the
resulting
> "firewall" file, but the above statement is completely ignored by
> shorewall and nothing is added in my nat table to masquerade this 
> connection.
Interesting, when I have:

masq
~~~~
eth0::
eth0:0:+outside-hosts[dst,dst] +private-net 10.11.1.2

Then the second statement is ignored (well done to the optimizer!), but 
when I have:

masq
~~~~
eth0:0:+outside-hosts[dst,dst] +private-net 10.11.1.2
eth0::

both statements are produced, so the only "gripe" is to maybe issue a 
warning/error when ADD_SNAT_ALIASES=No and I have "eth0:0" in masq.

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

On 5/29/13 5:35 PM, "Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>Dash Four wrote:
>>
>> Tom Eastep wrote:
>>> Thank you for testing,
>>>   
>> masq
>> ~~~~
>> eth0:0:+outside-hosts[dst,dst] +private-net 10.11.1.2
>>
>> when ADD_IP_ALIASES=No and ADD_SNAT_ALIASES=No the above statement
>> passes without a hint of an error or a warning. Even if I do
>> ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes, the appropriate
>> "del_ip_addr" and "add_ip_aliases" are added to the
resulting
>> "firewall" file, but the above statement is completely
ignored by
>> shorewall and nothing is added in my nat table to masquerade this
>> connection.
>Interesting, when I have:
>
>masq
>~~~~
>eth0::
>eth0:0:+outside-hosts[dst,dst] +private-net 10.11.1.2
>
>Then the second statement is ignored (well done to the optimizer!), but
>when I have:
>
>masq
>~~~~
>eth0:0:+outside-hosts[dst,dst] +private-net 10.11.1.2
>eth0::
>
>both statements are produced, so the only "gripe" is to maybe
issue a
>warning/error when ADD_SNAT_ALIASES=No and I have "eth0:0" in
masq.
That is a specific instance of something that can happen anywhere in the
ruleset. I tried a simple-minded change that issued a warning when a rule
is dropped because the chain has a terminating rule with no matches;
unfortunately, that change issues warnings in cases that the user has no
control over.

So I think I''ll work on that for 4.5.18.

Thanks,
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

On 5/29/13 6:54 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>
>That is a specific instance of something that can happen anywhere in the
>ruleset. I tried a simple-minded change that issued a warning when a rule
>is dropped because the chain has a terminating rule with no matches;
>unfortunately, that change issues warnings in cases that the user has no
>control over.
>
>So I think I''ll work on that for 4.5.18.
The attached patch seems to fill the bill.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

On 05/30/2013 06:16 AM, Tom Eastep wrote:
> On 5/29/13 6:54 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
> 
>>
>> That is a specific instance of something that can happen anywhere in
the
>> ruleset. I tried a simple-minded change that issued a warning when a
rule
>> is dropped because the chain has a terminating rule with no matches;
>> unfortunately, that change issues warnings in cases that the user has
no
>> control over.
>>
>> So I think I''ll work on that for 4.5.18.
> 
> The attached patch seems to fill the bill.
Please disregard -- that patch assumes another patch which I haven''t
externalized. I''ll simply include the final one in 4.5.17.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1