Shorewall devel - Jan 2008 - rules: interface and comma seperated IP addresses.

Hello,

I am using shorewall 3.4.4

When I specify an interface name in the rules file, I expected the interface
name is given
to "-i" option of iptable for all the IP addresses. But, I am seeing
different results.

Example1:
ACCEPT          loc:net0:192.168.3.1,192.168.3.2                net             
tcp 80
-The above rule gernerated the following code:
   run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j ACCEPT
   run_iptables -A loc2net -p tcp -s 192.168.3.2 --dport 80 -j ACCEPT
   progress_message "   Rule \"ACCEPT loc:net0:192.168.3.1,192.168.3.2
net tcp 80     \" added."

Example2:
ACCEPT          loc:net0:192.168.3.1,net0:192.168.3.2                   net     
tcp 80
-The above rule gernerated the following code:
   run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j ACCEPT
   run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.2 --dport 80 -j ACCEPT
   progress_message "   Rule \"ACCEPT
loc:net0:192.168.3.1,net0:192.168.3.2 net tcp 80     \" added."

Is it required to prepend interface name for every comma seperated IP address
within
the rule?

Note: In the above example, the interface name is "net0"
loc = Local zone
net = Wan zone.

Thanks,
Hebbar.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Srinivasa Hebbar wrote:
> Hello,
> 
> I am using shorewall 3.4.4
> 
> When I specify an interface name in the rules file, I expected the
interface name is given
> to "-i" option of iptable for all the IP addresses. But, I am
seeing different results.
> 
> Example1:
> ACCEPT          loc:net0:192.168.3.1,192.168.3.2                net        
tcp 80
> -The above rule gernerated the following code:
>    run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j
ACCEPT
>    run_iptables -A loc2net -p tcp -s 192.168.3.2 --dport 80 -j ACCEPT
>    progress_message "   Rule \"ACCEPT
loc:net0:192.168.3.1,192.168.3.2 net tcp 80     \" added."
> 
> Example2:
> ACCEPT          loc:net0:192.168.3.1,net0:192.168.3.2                   net
tcp 80
> -The above rule gernerated the following code:
>    run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j
ACCEPT
>    run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.2 --dport 80 -j
ACCEPT
>    progress_message "   Rule \"ACCEPT
loc:net0:192.168.3.1,net0:192.168.3.2 net tcp 80     \" added."
> 
> Is it required to prepend interface name for every comma seperated IP
address within
> the rule?
> 
> Note: In the above example, the interface name is "net0"
> loc = Local zone
> net = Wan zone.
> 
Looks like another bug in Shorewall-shell.

Have you considered upgrading to 4.0.7 and switching to Shorewall-perl?
My main reason for creating Shorewall-perl was because Shorewall-shell
is buggy and the bugs are hard to fix without breaking something else.

Neither of the defects you have reported this week are present in
Shorewall-perl.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hello,

I am planning to upgrade to shorewall-perl for the next major release of our 
software. At the mement, I have to use shorewall 3.4.4. I have several 
installs with shorewall 3.4.4 and I need to give a fix for these installs.

Thanks,
Hebbar.
> Srinivasa Hebbar wrote:
> > Hello,
> >
> > I am using shorewall 3.4.4
> >
> > When I specify an interface name in the rules file, I expected the
> > interface name is given to "-i" option of iptable for all
the IP
> > addresses. But, I am seeing different results.
> >
> > Example1:
> > ACCEPT          loc:net0:192.168.3.1,192.168.3.2                net
> >        tcp 80 -The above rule gernerated the following code:
> >    run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j
> > ACCEPT run_iptables -A loc2net -p tcp -s 192.168.3.2 --dport 80 -j
ACCEPT
> > progress_message "   Rule \"ACCEPT
loc:net0:192.168.3.1,192.168.3.2 net
> > tcp 80     \" added."
> >
> > Example2:
> > ACCEPT          loc:net0:192.168.3.1,net0:192.168.3.2
> > net              tcp 80 -The above rule gernerated the following code:
> >    run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j
> > ACCEPT run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.2 --dport
80
> > -j ACCEPT progress_message "   Rule \"ACCEPT
> > loc:net0:192.168.3.1,net0:192.168.3.2 net tcp 80     \"
added."
> >
> > Is it required to prepend interface name for every comma seperated IP
> > address within the rule?
> >
> > Note: In the above example, the interface name is "net0"
> > loc = Local zone
> > net = Wan zone.
>
> Looks like another bug in Shorewall-shell.
>
> Have you considered upgrading to 4.0.7 and switching to Shorewall-perl?
> My main reason for creating Shorewall-perl was because Shorewall-shell
> is buggy and the bugs are hard to fix without breaking something else.
>
> Neither of the defects you have reported this week are present in
> Shorewall-perl.
>
> -Tom
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Mon, Jan 21, 2008 at 09:55:24AM +0530, Srinivasa Hebbar
wrote:
> 
> Hello,
> 
> I am planning to upgrade to shorewall-perl for the next major release of
our
> software. At the mement, I have to use shorewall 3.4.4. I have several 
> installs with shorewall 3.4.4 and I need to give a fix for these installs.
> 
I am currently working on a fix for the problem you reported on 18
January.  However, initial indications from Tom are that this second
problem you reported would require major surgery on shorewall-shell.  I
am not sure if I am up to that, but I have not yet looked in depth at
this problem.

Regards,

-Roberto
-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Srinivasa Hebbar wrote:
> Hello,
> 
> I am planning to upgrade to shorewall-perl for the next major release of
our
> software. At the mement, I have to use shorewall 3.4.4. I have several 
> installs with shorewall 3.4.4 and I need to give a fix for these installs.
>
You don''t *need* fixes for either of these problems.

The first is easily solved by using two or more entries in
/etc/shorewall/masq and you have already demonstrated a fix for the
second problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Sun, Jan 20, 2008 at 11:51:16PM +0530, Srinivasa Hebbar
wrote:
> Hello,
> 
> I am using shorewall 3.4.4
> 
> When I specify an interface name in the rules file, I expected the
interface name is given
> to "-i" option of iptable for all the IP addresses. But, I am
seeing different results.
> 
> Example1:
> ACCEPT          loc:net0:192.168.3.1,192.168.3.2                net        
tcp 80
> -The above rule gernerated the following code:
>    run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j
ACCEPT
>    run_iptables -A loc2net -p tcp -s 192.168.3.2 --dport 80 -j ACCEPT
>    progress_message "   Rule \"ACCEPT
loc:net0:192.168.3.1,192.168.3.2 net tcp 80     \" added."
> 
I think that this is a little subjective.

First, since you can have multiple interfaces as part of a zone there is
no guarantee that traffic from two or more arbitrary addresses in some
zone will arrive through the same interface.  Thus, I do not think that
it is unreasonable to expect that the syntax you provide in Example 2
below should be considered "more correct".

Second, Tom has indicated to me that fixing this to make Example 1
correct would require significant changes to two of the core functions
in the Shorewall-shell compiler code.  I am hesitant to embark on such
invasive changes because the Shorewall-shell compiler is in maintenance
mode and this looks to me like more than a bug fix.  Additionally, there
is significant risk of introducing a regression somewhere along the way.
> Example2:
> ACCEPT          loc:net0:192.168.3.1,net0:192.168.3.2                   net
tcp 80
> -The above rule gernerated the following code:
>    run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j
ACCEPT
>    run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.2 --dport 80 -j
ACCEPT
>    progress_message "   Rule \"ACCEPT
loc:net0:192.168.3.1,net0:192.168.3.2 net tcp 80     \" added."
> 
> Is it required to prepend interface name for every comma seperated IP
address within
> the rule?
> 
Given that this behavior is not causing a failure (in the sense that it
is not causing execution of Shorewall to halt abnormally), I think that
the answer to your question is "yes".  I will update the documentation
to reflect that it is necessary to explicitly provide the interface name
before each address in a comma separated list.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Mon, Jan 21, 2008 at 12:45:23AM -0500, Roberto C. Sánchez
wrote:
> > 
> Given that this behavior is not causing a failure (in the sense that it
> is not causing execution of Shorewall to halt abnormally), I think that
> the answer to your question is "yes".  I will update the
documentation
> to reflect that it is necessary to explicitly provide the interface name
> before each address in a comma separated list.
> 
The documentation update has been commited in svn.  It will make it into
the next release.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Thanks Roberto,

For now, I will  prepend the interface name for each comma seperated IP 
addresses. But, when I move to newer shorewall (perl), will it be compatible?
How shorewall-perl behaves when I include interface name for each
of the comma seperated IP addresses?

Thanks,
Hebbar.
> On Mon, Jan 21, 2008 at 12:45:23AM -0500, Roberto C. Sánchez wrote:
> > Given that this behavior is not causing a failure (in the sense that
it
> > is not causing execution of Shorewall to halt abnormally), I think
that
> > the answer to your question is "yes".  I will update the
documentation
> > to reflect that it is necessary to explicitly provide the interface
name
> > before each address in a comma separated list.
>
> The documentation update has been commited in svn.  It will make it into
> the next release.
>
> Regards,
>
> -Roberto
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Srinivasa Hebbar wrote:
> Thanks Roberto,
> 
> For now, I will  prepend the interface name for each comma seperated IP 
> addresses. But, when I move to newer shorewall (perl), will it be
compatible?
> How shorewall-perl behaves when I include interface name for each
> of the comma seperated IP addresses?
Shorewall-perl doesn''t accept that syntax:

~/Configs/two-interfaces/rules:

#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
#							PORT	PORT(S)		DEST		LIMIT		GROUP
ACCEPT		net:eth0:192.168.1.3,eth0:192.168.1.5\
				fw		tcp	22

teastep@wifiursa:~/Configs/two-interfaces> shorewall check -e .
Checking...
   ERROR: Unknown Host (eth0:192.168.1.3) :
/home/teastep/Configs/two-interfaces/rules (line 20)
teastep@wifiursa:~/Configs/two-interfaces> 

So this is one more case where Shorewall-shell and Shorewall-perl are
incompatible.

-tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/