I plan to release Shorewall 4.0.4 next weekend. In an effort to improve the
quality of patch releases, I''m going to start making these releases
available to the development list a week ahead of the public release. Please
try this pre-release and report any problems.
The release is available at:
http://www1.shorewall.net/pub/shorewall/development/staging/4.0/shorewall-4.0.4/
ftp://ftp1.shorewall.net/pub/shorewall/development/staging/4.0/shorewall-4.0.4/
Problems Corrected in Shorewall 4.0.4
1) If no interface had the ''blacklist'' option, then when
using
Shorewall-perl, the ''start'' and
''restart'' command fail:
ERROR: No filter chain found with name blacklst
New Shorewall-perl 4.0.3 packages were released that corrected this
problem; it is included here for completeness.
2) If no interface had the ''blacklist'' option, then when
using
Shorewall-perl, the generated script would issue this harmless
message during ''shorewall refresh'':
chainlist_reload: Not found
3) If /bin/sh was a light-weight shell such as ash or dash, then
''shorewall refresh'' failed.
4) During start/restart, the script generated by Shorewall-perl was
clearing the proxy_arp flag on all interfaces; that is not the
documented behavior.
5) If the module-init-tools package was not installed and
/etc/shorewall/modules did not exist or was non-empty, then
Shorewall-perl would fail with the message:
ERROR: Can''t run lsmod : /etc/shorewall/modules (line 0)
6) Shorewall-perl now makes a compile-time check to insure that
iptables-restore exists and is executable. This check is made when
the compiler is being run by root and the -e option is not
given.
Note that iptables-restore must reside in the same directory as the
iptables executable specified by IPTABLES in shorewall.conf or
located by the PATH in the event that IPTABLES is not specified.
7) When using Shorewall-perl, if an action was invoked with more than
10 different combinations of log-levels/tags, some of those
invocations would have incorrect logging.
8) Previously, when ''shorewall restore'' was executed, the
iptables-restore utility was always located using the PATH setting
rather than the IPTABLES setting.
With Shorewall-perl, the IPTABLES setting is now used to locate
this utility during ''restore'' as it is during the
processing of
other commands.
9) Although the shorewall.conf manpage indicates that the value
''internal'' is allowed for TC_ENABLED, that value was
previously
rejected (''Internal'' was accepted).
10) The meaning of the ''loose'' provider option was
accidentally reversed
in Shorewall-perl. Rather than causing certain routing rules to be
omitted when specified, it actually caused them to be added (these
rules were omitted when the option was NOT specified).
11) If the ''bridge'' option was specified on an interface but
there were
no bport zones, then traffic originating on the firewall was not
passed through the accounting chain.
12) In commands such as:
shorewall compile <directory>
shorewall restart <directory>
shorewall check <directory>
if the name of the <directory> contained a period ("."),
then
Shorewall-perl would incorrectly substitute the current working
directory for the name.
13) Previously, if the following sequence of routing rules was
specified, then the first rule would always be omitted.
#SOURCE DEST PROVIDER PRIORITY
$SRC_A $DESTIP1 ISP1 1000
$SRC_A $DESTIP2 SOMEISP 1000
$SRC_A - ISP2 1000
The reason for this omission was that Shorewall uses a
delete-before-add approach and attempting to delete the third rule
resulted in the deletion of the first one instead.
This problem occurred with both compilers.
14) When using Shorewall-shell, provider numbers were not recognized in
the PROVIDER column of /etc/shorewall/route_rules.
15) An off-by-one problem in Shorewall-perl caused the value 255 to be
rejected in the MARK column of /etc/shorewall/tcclasses.
Other Changes in Shorewall 4.0.4
1) The detection of ''Repeat Match'' has been improved.
''Repeat Match''
is not a match at all but rather is a feature of recent versions of
iptables that allows a particular match to be used multiple times
within a single rule.
Example:
-A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
When using Shorewall-shell, the availability of ''Repeat
Match'' can
speed up compilation very slightly.
2) Apparently recent Fedora releases are broken. The
following sequence of commands demonstrates the problem:
ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
The third command should fail but doesn''t; instead, it incorrectly
removes the rule added by the first command.
To work around this issue, you can set DELETE_THEN_ADD=No in
shorewall.conf which prevents Shorewall from deleting ip rules
before attempting to add a similar rule.
3) When using Shorewall-perl, the following message is now issued if
the ''detectnets'' option is specified in
/etc/shorewall/interfaces:
WARNING: Support for the ''detectnets'' option will be
removed from
Shorewall-perl in version 4.0.5; better to use
''routefilter'' and
''logmartians
The ''detect'' options has always been rather silly. On
input, it
duplicates the function of ''routefilter''. On output, it is
a no-op
since traffic that doesn''t match a route out of an interface
won''t
be sent through that interface (duh!).
Beginning with Shorewall 4.0.5, the warning message will read:
WARNING: Support for the ''detectnets'' option has been
removed
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi Tom,
I applied the 4.0.4-1 rpm files on my current running version (SVN 7352 from
9/17/2007). (I had to use --nodeps because it did not find iptables, iproute,
/bin/sh and /usr/bin/perl as dependencies. Those are in the path but probably
not installed with RPM.)
I tried the shorewall check function on my current running configuration with
both compiler.
Problem #1:
`shorewall -v check -C perl` chokes on one line in the route_rules file:
Checking /etc/shorewall/providers ...
Provider "BDSL 1 256 main ppp1 194.152.155.65 track eth0,eth3"
Checked
Provider "ADSL 2 512 main ppp0 194.152.155.72 track eth0,eth3"
Checked
Provider "CABLE 3 1024 main eth4 84.3.248.1 track eth0,eth3" Checked
Routing rule "192.168.2.247 - CABLE 500" Checked
ERROR: Invalid IP Address (eth3) : /etc/shorewall/route_rules (line 2)
Meanwhile
`shorewall -v check -C shell` chokes on another line in the route_rules file:
Checking /etc/shorewall/providers...
Provider BDSL 1 256 main ppp1 194.152.155.65 track eth0,eth3 checked
Provider ADSL 2 512 main ppp0 194.152.155.72 track eth0,eth3 checked
Provider CABLE 3 1024 main eth4 84.3.248.1 track eth0,eth3 checked
Checking /etc/shorewall/route_rules...
ERROR: Invalid priority (500) in rule "192.168.2.247 - 500 CABLE"
Changing the priority to 1001 passes both lines in the shell compiler.
The route_rules file is the following:
#
# Shorewall version 3.2 - route_rules File
#
#
# For additional information, see http://www.shorewall.net/MultiISP.html
##############################################################################
#SOURCE DEST PROVIDER PRIORITY
$BELACLOC - CABLE 500
eth3 - BDSL 1000
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
This route_rules file runs fine with the 7352 svn version.
One can clearly see that the line number reported in shorewall perl is not
counting the comment lines either.
Problem #2:
`shorewall -v check -C shell` chokes on a tcrules mark value which passes the
perl compiler just fine:
Compiling /etc/shorewall/tcrules...
TC Rule "RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 " checked
TC Rule "CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 " checked
ERROR: Invalid Mark or Mask value: 518
HIGH_ROUTE_MARKS=Yes in the config file. Corresponding lines in tcrules:
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST
LENGTH TOS
# PORT(S) PORT(S)
RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
518 0.0.0.0/0 0.0.0.0/0 ipp2p:all
SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0
Hopefully this report sufficient to find the problem.
Best regards,
Andras
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andras Sarkozy wrote:> Hi Tom, > > I applied the 4.0.4-1 rpm files on my current running version (SVN 7352 from 9/17/2007). (I had to use --nodeps because it did not find iptables, iproute, /bin/sh and /usr/bin/perl as dependencies. Those are in the path but probably not installed with RPM.) > > I tried the shorewall check function on my current running configuration with both compiler. > > Problem #1: > `shorewall -v check -C perl` chokes on one line in the route_rules file: > Checking /etc/shorewall/providers ... > Provider "BDSL 1 256 main ppp1 194.152.155.65 track eth0,eth3" Checked > Provider "ADSL 2 512 main ppp0 194.152.155.72 track eth0,eth3" Checked > Provider "CABLE 3 1024 main eth4 84.3.248.1 track eth0,eth3" Checked > Routing rule "192.168.2.247 - CABLE 500" Checked > ERROR: Invalid IP Address (eth3) : /etc/shorewall/route_rules (line 2)Yep -- misplaced test.> > Meanwhile > `shorewall -v check -C shell` chokes on another line in the route_rules file: > Checking /etc/shorewall/providers... > Provider BDSL 1 256 main ppp1 194.152.155.65 track eth0,eth3 checked > Provider ADSL 2 512 main ppp0 194.152.155.72 track eth0,eth3 checked > Provider CABLE 3 1024 main eth4 84.3.248.1 track eth0,eth3 checked > Checking /etc/shorewall/route_rules... > ERROR: Invalid priority (500) in rule "192.168.2.247 - 500 CABLE" > > Changing the priority to 1001 passes both lines in the shell compiler.Well, the route_rules manpage does specify a particular set of ranges for marks and 500 falls outside of those ranges. So I can hardly treat this as a bug in the shell compiler. Yet, I hate to introduce incompatibilities in a patch release so I think I''ll leave that one the way it is.> > The route_rules file is the following: > # > # Shorewall version 3.2 - route_rules File > # > # > # For additional information, see http://www.shorewall.net/MultiISP.html > ############################################################################## > #SOURCE DEST PROVIDER PRIORITY > $BELACLOC - CABLE 500 > eth3 - BDSL 1000 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > This route_rules file runs fine with the 7352 svn version. > > One can clearly see that the line number reported in shorewall perl is not counting the comment lines either. > > > Problem #2: > `shorewall -v check -C shell` chokes on a tcrules mark value which passes the perl compiler just fine: > Compiling /etc/shorewall/tcrules... > TC Rule "RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 " checked > TC Rule "CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 " checked > ERROR: Invalid Mark or Mask value: 518 > > HIGH_ROUTE_MARKS=Yes in the config file. Corresponding lines in tcrules: > #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS > # PORT(S) PORT(S) > RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 > CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 > 518 0.0.0.0/0 0.0.0.0/0 ipp2p:all > SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0Actually, that''s a bug in the Perl Compiler; 518 _is_ an invalid mark value! (For mark values > 256), the low-order 8 bits must be zero. 518 == 0x206> Hopefully this report sufficient to find the problem.Thanks for testing! I''ve attached a patch which corrects the ''invalid IP address'' problem, the reporting of the incorrect line number after a comment, and that catches invalid high mark values. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> > I''ve attached a patch which corrects the ''invalid IP address'' problem, the > reporting of the incorrect line number after a comment, and that catches > invalid high mark values. >The pre-release has been updated to include this patch. The patch (and updated components) are still available in the errata/ sub-directory. Next release, I''ll try to have my act better together and add a ''PreN'' suffix to the version so that we can keep the pre-releases separate and so that the upgrade to the final release will be more straight-forward. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hi Tom, Thanks for the fix - it works now. Best regards, Andras Tom Eastep wrote:> Tom Eastep wrote: > >> I''ve attached a patch which corrects the ''invalid IP address'' problem, the >> reporting of the incorrect line number after a comment, and that catches >> invalid high mark values. >> > > The pre-release has been updated to include this patch. The patch (and > updated components) are still available in the errata/ sub-directory. Next > release, I''ll try to have my act better together and add a ''PreN'' suffix to > the version so that we can keep the pre-releases separate and so that the > upgrade to the final release will be more straight-forward. > > -Tom > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/