Beta 2 is now available for testing. Beta 1 was uploaded but never formally announced; it included a very flawed implementation of rate limiting for simple traffic shaping which I have removed in Beta 2. The Beta 2 patch files are against 4.4.10. Beta 2 includes support for ''vserver'' zones. These zones are intended to simplify configuration of Shorewall on a Linux-vserver host. See http://www.shorewall.net/Vserver.html for details. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom If I issue a "shorewall debug start" or "shorewall trace start" I get the following messages: Compiling... . . . Shorewall configuration compiled to /var/lib/shorewall/.start Usage: /var/lib/shorewall/.start [ options ] [ start|stop|clear|down|reset| refresh|restart|status|up|version ] Options are: -v and -q Standard Shorewall verbosity controls -n Don''t unpdate routing configuration -p Purge Conntrack Table -t Timestamp progress Messages -V <verbosity> Set verbosity explicitly -R <file> Override RESTOREFILE setting Steven. ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/1/10 3:21 PM, Steven Jan Springl wrote:> Tom > > If I issue a "shorewall debug start" or "shorewall trace start" I get the > following messages: > Compiling... > . > . > . > Shorewall configuration compiled to /var/lib/shorewall/.start > Usage: /var/lib/shorewall/.start [ options ] [ start|stop|clear|down|reset| > refresh|restart|status|up|version ] > > Options are: > > -v and -q Standard Shorewall verbosity controls > -n Don''t unpdate routing configuration > -p Purge Conntrack Table > -t Timestamp progress Messages > -V <verbosity> Set verbosity explicitly > -R <file> Override RESTOREFILE setting >Looks like this has been broken since 4.4.8 :-( -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/1/10 3:49 PM, Tom Eastep wrote:> Looks like this has been broken since 4.4.8 :-(Should be fixed in 338c021272dd4082eb7f40ecbd350a6e0eee7b62. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/1/10 4:22 PM, Tom Eastep wrote:> On 7/1/10 3:49 PM, Tom Eastep wrote: > >> Looks like this has been broken since 4.4.8 :-( > > Should be fixed in 338c021272dd4082eb7f40ecbd350a6e0eee7b62.Wrong commit -- it is db8dba66dbb10498816c3062a821f47f67155d2a -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On Friday 02 July 2010 00:27:39 Tom Eastep wrote:> On 7/1/10 4:22 PM, Tom Eastep wrote: > > On 7/1/10 3:49 PM, Tom Eastep wrote: > >> Looks like this has been broken since 4.4.8 :-( > > > > Should be fixed in 338c021272dd4082eb7f40ecbd350a6e0eee7b62. > > Wrong commit -- it is db8dba66dbb10498816c3062a821f47f67155d2a > > -TomTom That''s fixed it. Thanks. Steven. ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom If a Shorewall configuration has a zone with type ipsec and a zone with type vserver and the vserver zone does not have the ipsec option specified in the hosts file then "shorewall debug start" produces the following error: iptables: Invalid argument. Run `dmesg'' for more information. ERROR: Command "/usr/local/sbin/iptables -A eth0_in -m policy --dir in --pol none -m policy --dir out --pol none -d 10.0.0.0/24 -j lan2vsr" Failed dmesg produces the following: xt_policy: output policy not valid in PREROUTING and INPUT A copy of the the Shorewall config is attached. Steven. ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/2/10 9:23 AM, Steven Jan Springl wrote:> Tom > > If a Shorewall configuration has a zone with type ipsec and a zone with type > vserver and the vserver zone does not have the ipsec option specified in the > hosts file then "shorewall debug start" produces the following error: > > iptables: Invalid argument. Run `dmesg'' for more information. > ERROR: Command "/usr/local/sbin/iptables -A eth0_in -m policy --dir > in --pol none -m policy --dir out --pol none -d 10.0.0.0/24 -j lan2vsr" > Failed > > dmesg produces the following: > > xt_policy: output policy not valid in PREROUTING and INPUT > > A copy of the the Shorewall config is attached.Thanks, Steven. Please see if the attached patch corrects the problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/2/10 12:14 PM, Tom Eastep wrote:> On 7/2/10 9:23 AM, Steven Jan Springl wrote: >> Tom >> >> If a Shorewall configuration has a zone with type ipsec and a zone with type >> vserver and the vserver zone does not have the ipsec option specified in the >> hosts file then "shorewall debug start" produces the following error: >> >> iptables: Invalid argument. Run `dmesg'' for more information. >> ERROR: Command "/usr/local/sbin/iptables -A eth0_in -m policy --dir >> in --pol none -m policy --dir out --pol none -d 10.0.0.0/24 -j lan2vsr" >> Failed >> >> dmesg produces the following: >> >> xt_policy: output policy not valid in PREROUTING and INPUT >> >> A copy of the the Shorewall config is attached. > > Thanks, Steven. > > Please see if the attached patch corrects the problem.Bogus patch -- please try this one in its place. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On Friday 02 July 2010 20:48:49 Tom Eastep wrote:> Bogus patch -- please try this one in its place. > > -TomTom I have applied this patch on its own and it seems to work. Thanks. Steven. ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/2/10 1:07 PM, Steven Jan Springl wrote:> On Friday 02 July 2010 20:48:49 Tom Eastep wrote: >> Bogus patch -- please try this one in its place. >> >> -Tom > > Tom > > I have applied this patch on its own and it seems to work. Thanks.Thanks, Steven. I''ve also made the host ''ipsec'' option invalid on an entry for a vserver zone. That will be in Beta 3. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first