I''ve uploaded 4.5.2 for testing. Given that I must go back to work tomorrow, I won''t have as much time now to play with Shorewall. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 5 . 2 ---------------------------------------------------------------------------- 1) Previously, if there were entries in /etc/shorewall/accounting, OPTIMIZE settings of 4, 5, 6 or 7 could cause a run-time failure during ''shorewall start''. ---------------------------------------------------------------------------- K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- None. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 5 . 2 ---------------------------------------------------------------------------- 1) The "optimize 4" feature added in 4.5.1 is now extended to all tables. Additionally: - if a built-in chain has a single rule that branches to a second chain, then the rules from the second chain are moved to the built-in chain and the target chain is omitted. - Chains with no references are deleted. - Accounting chains are subject to optimization if the new OPTIMIZE_ACCOUNTING option is set to ''Yes'' (default is ''No''). - If a chain ends with an unconditional branch to a second chain (other than to ''reject''), then the branch is deleted from the first chain and the rules from the second chain are appended to it. 2) Shorewall now throws an error if: a) There are tracked providers; and b) PROVIDER_OFFSET is 0; and c) ''ipp2p'' is used as the PROTO in a tcpri entry. 3) You may now preview the generated ruleset by using the ''-r'' option to the ''check'' command (e.g., "shorewall check -r"). The output is a shell script fragment, similar to the way it appears in the generated script. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Tom>From the following rule:NONAT:warn ......... Shorewall generates the following iptables rules: -A log72 -j LOG --log-level 4 --log-prefix "Shorewall:lan_dnat:NONAT:" -A log72 ACCEPT-j ACCEPT which produces the following error message: Bad argument ''ACCEPT-j'' Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Steven Jan Springl wrote:> Tom > >>From the following rule: > > NONAT:warn ......... > > Shorewall generates the following iptables rules: > > -A log72 -j LOG --log-level 4 --log-prefix "Shorewall:lan_dnat:NONAT:" > -A log72 ACCEPT-j ACCEPT > > which produces the following error message: > > Bad argument ''ACCEPT-j''Steven, I''ll need the configuration (with capabilities file) -- that construct works fine in my setup. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sunday 03 January 2010 22:27:57 Tom Eastep wrote:> Steven, > > I''ll need the configuration (with capabilities file) -- that construct > works fine in my setup. >Tom Configuration + capabilities file attached. Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Steven Jan Springl wrote:> On Sunday 03 January 2010 22:27:57 Tom Eastep wrote: >> Steven, >> >> I''ll need the configuration (with capabilities file) -- that construct >> works fine in my setup. >> > > Tom > > Configuration + capabilities file attached.Thanks, Steven Turns out, the problem was easy to reproduce after all. The Rules.pm patch in commit 59b2bc0e7dee978e4a0eafa52fd21007d0365860 fixes the problem. Thanks again for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sunday 03 January 2010 23:34:28 Tom Eastep wrote:> Thanks again for testing,Tom You are welcome. The same configuration now generates the following iptables rule: -A OUTPUT -o lo -j fw2fw which produces the following error: iptables-restore v1.4.5: Couldn''t load target `fw2fw'':/usr/local/libexec/xtables/libipt_fw2fw.so: cannot open shared object file: No such file or directory Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Steven Jan Springl wrote:> On Sunday 03 January 2010 23:34:28 Tom Eastep wrote: > >> Thanks again for testing, > > Tom > > You are welcome. > > The same configuration now generates the following iptables rule: > > -A OUTPUT -o lo -j fw2fw > > which produces the following error: > > iptables-restore v1.4.5: Couldn''t load target > `fw2fw'':/usr/local/libexec/xtables/libipt_fw2fw.so: cannot open shared object > file: No such file or directory >Please see what happens with fdb89a78b01aaacb391f7817130e4bf02bfebd13. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Monday 04 January 2010 00:43:37 Tom Eastep wrote:> Please see what happens with fdb89a78b01aaacb391f7817130e4bf02bfebd13.Tom that has fixed that problem. However the same configuration again generates the following iptables rule: -A br0_in -p 6 -j %dropNotSyn which produces the following error: iptables-restore v1.4.5: Couldn''t load target `%dropNotSyn'':/usr/local/libexec/xtables/libipt_%dropNotSyn.so: cannot open shared object file: No such file or directory Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Steven Jan Springl wrote:> On Monday 04 January 2010 00:43:37 Tom Eastep wrote: > >> Please see what happens with fdb89a78b01aaacb391f7817130e4bf02bfebd13. > > Tom that has fixed that problem. However the same configuration again > generates the following iptables rule: > > -A br0_in -p 6 -j %dropNotSyn > > which produces the following error: > > iptables-restore v1.4.5: Couldn''t load target > `%dropNotSyn'':/usr/local/libexec/xtables/libipt_%dropNotSyn.so: cannot open > shared object file: No such file or directoryOkay -- let''s call it a night and I''ll work on that one tomorrow. Thanks again for your help, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Monday 04 January 2010 00:43:37 Tom Eastep wrote: >> >>> Please see what happens with fdb89a78b01aaacb391f7817130e4bf02bfebd13. >> Tom that has fixed that problem. However the same configuration again >> generates the following iptables rule: >> >> -A br0_in -p 6 -j %dropNotSyn >> >> which produces the following error: >> >> iptables-restore v1.4.5: Couldn''t load target >> `%dropNotSyn'':/usr/local/libexec/xtables/libipt_%dropNotSyn.so: cannot open >> shared object file: No such file or directory > > Okay -- let''s call it a night and I''ll work on that one tomorrow.I''ve tested commit f472d2e20eb208a2b7191edec7d257bd5109d91b as far as I can with your configuration. Please let me know, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Monday 04 January 2010 02:44:47 Tom Eastep wrote:> I''ve tested commit f472d2e20eb208a2b7191edec7d257bd5109d91b as far as I > can with your configuration. > > Please let me know,Tom That''s worked. Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Steven Jan Springl wrote:> On Monday 04 January 2010 02:44:47 Tom Eastep wrote: > >> I''ve tested commit f472d2e20eb208a2b7191edec7d257bd5109d91b as far as I >> can with your configuration. >> >> Please let me know, > > Tom > > That''s worked.Thanks, Steven. I''m going to add that configuration to my regression test suite. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Monday 04 January 2010 02:44:47 Tom Eastep wrote: >> >>> I''ve tested commit f472d2e20eb208a2b7191edec7d257bd5109d91b as far as I >>> can with your configuration. >>> >>> Please let me know, >> Tom >> >> That''s worked. > > Thanks, Steven. > > I''m going to add that configuration to my regression test suite.Also, if you have the time, it would be good to verify that this configuration loads which compiled with OPTIMIZE=7. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Monday 04 January 2010 15:18:08 Tom Eastep wrote:> Tom Eastep wrote:> Also, if you have the time, it would be good to verify that this > configuration loads which compiled with OPTIMIZE=7. >Tom OPTIMIZE=7 works. However specifying an invalid value such as OPTIMIZE=Y produces the following message: Use of uninitialized value $val in concatenation (.) or string at /usr/share/shorewall/Shorewall/Config.pm line 2668. Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Steven Jan Springl wrote:> On Monday 04 January 2010 15:18:08 Tom Eastep wrote: >> Tom Eastep wrote: > >> Also, if you have the time, it would be good to verify that this >> configuration loads which compiled with OPTIMIZE=7. >> > > Tom > > OPTIMIZE=7 works. > > However specifying an invalid value such as OPTIMIZE=Y produces the following > message: > > Use of uninitialized value $val in concatenation (.) or string > at /usr/share/shorewall/Shorewall/Config.pm line 2668.Corrected in 6527f5c284c67ff6963d9639e4567f5b06b5b754 Thanks, Steven! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev