Shorewall devel - Dec 2010 - Shorewall 4.4.16 Beta 5

Beta 5 is now ready for testing.

Problems Corrected:

1)  Previously, proxy ARP with logical interface names did not
    work. Symptoms included numerous Perl runtime error messages.

New Features:

1)  Beta 5 introduces format-2 actions. Based on the similar
    feature of macros, format-2 actions allow the same column layout
    for macros, actions and rules.

    In the action.xxx file, simply make the first non-commentary line:

       FORMAT 2

    This allows the lines which follow to have the same columns as
    those in the rules file. As with format 1 actions, zone names may
    not appear in the SOURCE and DEST columns.

    As part of this change, the earlier kludgy restrictions regarding
    Macros and Actions have been eliminated. For example, DNAT, DNAT-,
    REDIRECT, REDIRECT- and ACCEPT+ rules are now allowed in Actions
    and in macros invoked from Actions. Additionally, Macros used in
    Actions are now free to invoke other actions.

The Shorewall patch looks formidable but is not as bad as it looks. It
involved adding a new Perl module (Shorewall::Misc) and re-distributing
the functions in Shorewall::Actions and Shorewall::Rules.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Tom

The following proxyarp entry:

99.88.77.2  ssp  eth0  yes  yes

produces the following messages:

Use of uninitialized value $physical in concatenation (.) or string 
at /usr/share/shorewall/Shorewall/Proxyarp.pm line 156.

Use of uninitialized value $physical in concatenation (.) or string 
at /usr/share/shorewall/Shorewall/Proxyarp.pm line 158.

Use of uninitialized value in numeric comparison (<=>) 
at /usr/share/shorewall/Shorewall/Zones.pm line 1334.


Steven.

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/18/10 4:12 PM, Steven Jan Springl wrote:
> Tom
> 
> The following proxyarp entry:
> 
> 99.88.77.2  ssp  eth0  yes  yes
> 
> produces the following messages:
> 
> Use of uninitialized value $physical in concatenation (.) or string 
> at /usr/share/shorewall/Shorewall/Proxyarp.pm line 156.
> 
> Use of uninitialized value $physical in concatenation (.) or string 
> at /usr/share/shorewall/Shorewall/Proxyarp.pm line 158.
> 
> Use of uninitialized value in numeric comparison (<=>) 
> at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
Steven,

I need a test case.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On Sunday 19 December 2010 00:45:17 Tom Eastep wrote:
> On 12/18/10 4:12 PM, Steven Jan Springl wrote:
> > Tom
> >
> > The following proxyarp entry:
> >
> > 99.88.77.2  ssp  eth0  yes  yes
> >
> > produces the following messages:
> >
> > Use of uninitialized value $physical in concatenation (.) or string
> > at /usr/share/shorewall/Shorewall/Proxyarp.pm line 156.
> >
> > Use of uninitialized value $physical in concatenation (.) or string
> > at /usr/share/shorewall/Shorewall/Proxyarp.pm line 158.
> >
> > Use of uninitialized value in numeric comparison (<=>)
> > at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
>
> Steven,
>
> I need a test case.
>
> Thanks,
> -Tom
Tom

My test config is attached.

Steven.


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/18/10 4:50 PM, Steven Jan Springl wrote:
> On Sunday 19 December 2010 00:45:17 Tom Eastep wrote:
>> On 12/18/10 4:12 PM, Steven Jan Springl wrote:
>>> Tom
>>>
>>> The following proxyarp entry:
>>>
>>> 99.88.77.2  ssp  eth0  yes  yes
>>>
>>> produces the following messages:
>>>
>>> Use of uninitialized value $physical in concatenation (.) or string
>>> at /usr/share/shorewall/Shorewall/Proxyarp.pm line 156.
>>>
>>> Use of uninitialized value $physical in concatenation (.) or string
>>> at /usr/share/shorewall/Shorewall/Proxyarp.pm line 158.
>>>
>>> Use of uninitialized value in numeric comparison (<=>)
>>> at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
>>
>> Steven,
>>
>> I need a test case.
> My test config is attached.
Thanks, Steven.

This is actually a case where an error should be generated. Interface
name ''spp'' should not match wildcard ''spp+''.
Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On Sunday 19 December 2010 16:12:54 Tom Eastep wrote:
>
> This is actually a case where an error should be generated. Interface
> name ''spp'' should not match wildcard
''spp+''. Patch attached.
>
> -Tom
Tom

That''s fixed it, thanks.

Steven.

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Tom

using the same test config I used for the proxarp problem and notrack entry:

z1  ssp21  2

the following messages are produced:

Use of uninitialized value $chain in hash element 
at /usr/share/shorewall/Shorewall/Zones.pm line 805, <$currentfile> line
15.

Use of uninitialized value $chain in substitution (s///) 
at /usr/share/shorewall/Shorewall/Zones.pm line 817, <$currentfile> line
15.

Use of uninitialized value in transliteration (tr///) 
at /usr/share/shorewall/Shorewall/Zones.pm line 818, <$currentfile> line
15.

Use of uninitialized value $chain in string eq 
at /usr/share/shorewall/Shorewall/Zones.pm line 820, <$currentfile> line
15.

Use of uninitialized value $chain in substitution (s///) 
at /usr/share/shorewall/Shorewall/Zones.pm line 824, <$currentfile> line
15.

Use of uninitialized value $chain in pattern match (m//) 
at /usr/share/shorewall/Shorewall/Zones.pm line 828, <$currentfile> line
15.

Use of uninitialized value $chain in join or string 
at /usr/share/shorewall/Shorewall/Zones.pm line 832, <$currentfile> line
15.

Use of uninitialized value $key in hash element 
at /usr/share/shorewall/Shorewall/Zones.pm line 846, <$currentfile> line
15.

Use of uninitialized value $interface in concatenation (.) or string 
at /usr/share/shorewall/Shorewall/Chains.pm line 3275, <$currentfile> line
15.

Use of uninitialized value $interface in hash element 
at /usr/share/shorewall/Shorewall/Chains.pm line 3275, <$currentfile> line
15.

Use of uninitialized value in numeric comparison (<=>) 
at /usr/share/shorewall/Shorewall/Zones.pm line 1334.

Steven.

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/19/10 12:51 PM, Steven Jan Springl wrote:
> using the same test config I used for the proxarp problem and notrack
entry:
> 
> z1  ssp21  2
> 
> the following messages are produced:
> 
> Use of uninitialized value $chain in hash element 
> at /usr/share/shorewall/Shorewall/Zones.pm line 805, <$currentfile>
line 15.
>
...

Steven,

This seems to fix it.

Thanks!
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On Sunday 19 December 2010 21:31:01 Tom Eastep wrote:
> Steven,
>
> This seems to fix it.
>
> Thanks!
> -Tom
Tom

It fixes all but the last message:

Use of uninitialized value in numeric comparison (<=>) 
at /usr/share/shorewall/Shorewall/Zones.pm line 1334.

This message is produced in the "Optimizing ruleset.." phase.

Steven.

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/19/10 2:02 PM, Steven Jan Springl wrote:
> On Sunday 19 December 2010 21:31:01 Tom Eastep wrote:
>> Steven,
>>
>> This seems to fix it.
>>
>> Thanks!
>> -Tom
> 
> Tom
> 
> It fixes all but the last message:
> 
> Use of uninitialized value in numeric comparison (<=>) 
> at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
> 
> This message is produced in the "Optimizing ruleset.." phase.
Steven,

Please find attached a patch that should correct this and some other
problems.

Thanks!
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On Monday 20 December 2010 00:32:45 Tom Eastep wrote:
> > It fixes all but the last message:
> >
> > Use of uninitialized value in numeric comparison (<=>)
> > at /usr/share/shorewall/Shorewall/Zones.pm line 1334.
> >
> > This message is produced in the "Optimizing ruleset.."
phase.
>
> Steven,
>
> Please find attached a patch that should correct this and some other
> problems.
>
> Thanks!
> -Tom
Tom

The patch to Zones.pm fixes the problem.

The patch to Proxyarp.pm does not apply. The following line is refered to in 
the patch, but does not exist in Proxyarp.pm:

fatal_error "Wildcard interface ($external) not allowed" if $external 
=~ /\+$/;

Steven.



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/20/10 12:06 PM, Steven Jan Springl wrote:
> The patch to Zones.pm fixes the problem.
> 
> The patch to Proxyarp.pm does not apply. The following line is refered to
in
> the patch, but does not exist in Proxyarp.pm:
> 
> fatal_error "Wildcard interface ($external) not allowed" if
$external
> =~ /\+$/;
Yes -- that was added in an intervening patch.

http://shorewall.git.sourceforge.net/git/gitweb.cgi?p=shorewall/shorewall;a=patch;h=55452c6e59ef5fb8a93ab253ede9c0a3f2b43764

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On Monday 20 December 2010 20:19:43 Tom Eastep wrote:
> On 12/20/10 12:06 PM, Steven Jan Springl wrote:
> > The patch to Zones.pm fixes the problem.
> >
> > The patch to Proxyarp.pm does not apply. The following line is refered
to
> > in the patch, but does not exist in Proxyarp.pm:
> >
> > fatal_error "Wildcard interface ($external) not allowed" if
$external
> > =~ /\+$/;
>
> Yes -- that was added in an intervening patch.
>
> http://shorewall.git.sourceforge.net/git/gitweb.cgi?p=shorewall/shorewall;a
>=patch;h=55452c6e59ef5fb8a93ab253ede9c0a3f2b43764
>
> -Tom
Tom

That''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Tom

Using the same test config I used for the proxarp problem and replacing the 
last line of the providers file with:

isp2  2  2  main  ssp2:192.168.0.4  192.168.0.254

which generates the following iptables rule:

-A routemark -i ppp2 -m mac --mac-source  -j MARK --set-mark 0x2

which produces the following message:

iptables-restore v1.4.10: Bad mac address "-j"

Steven.


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/20/10 1:23 PM, Steven Jan Springl wrote:
> Tom
> 
> Using the same test config I used for the proxarp problem and replacing the
> last line of the providers file with:
> 
> isp2  2  2  main  ssp2:192.168.0.4  192.168.0.254
> 
> which generates the following iptables rule:
> 
> -A routemark -i ppp2 -m mac --mac-source  -j MARK --set-mark 0x2
> 
> which produces the following message:
> 
> iptables-restore v1.4.10: Bad mac address "-j"
Hmmm -- wonder what I can do to give a more informative error to a user
trying to configure multi-ISP through a single PPP interface. Can''t do
it at compile time since a PPP interface can have an arbitrary name.

I''ll take a look...

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/20/10 2:34 PM, Tom Eastep wrote:
> On 12/20/10 1:23 PM, Steven Jan Springl wrote:
>> Tom
>>
>> Using the same test config I used for the proxarp problem and replacing
the
>> last line of the providers file with:
>>
>> isp2  2  2  main  ssp2:192.168.0.4  192.168.0.254
>>
>> which generates the following iptables rule:
>>
>> -A routemark -i ppp2 -m mac --mac-source  -j MARK --set-mark 0x2
>>
>> which produces the following message:
>>
>> iptables-restore v1.4.10: Bad mac address "-j"
> 
> Hmmm -- wonder what I can do to give a more informative error to a user
> trying to configure multi-ISP through a single PPP interface.
Can''t do
> it at compile time since a PPP interface can have an arbitrary name.
> 
> I''ll take a look...
This appears to be a general problem with multi-ISP through a single
optional interface, regardless of type.

The attached patch should work around it; please let me know.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On Monday 20 December 2010 23:04:52 Tom Eastep wrote:
> This appears to be a general problem with multi-ISP through a single
> optional interface, regardless of type.
>
> The attached patch should work around it; please let me know.
>
> Thanks,
> -Tom
Tom

The patch seems to work. Thanks.

Steven.


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

Tom

The attached minimal configuration starts successfully.

If the interface entry for zone tst is changed from ppp1 to ppp+ the following 
message is produced:

ERROR: Unable to determine the routes through interface "ppp1":
Firewall state
not changed

If the entry in notrack is removed then the configuration starts successfully.

Is this expected?

Steven.


------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/20/10 4:42 PM, Steven Jan Springl wrote:
> Tom
> 
> The attached minimal configuration starts successfully.
> 
> If the interface entry for zone tst is changed from ppp1 to ppp+ the
following
> message is produced:
> 
> ERROR: Unable to determine the routes through interface "ppp1":
Firewall state
> not changed
> 
> If the entry in notrack is removed then the configuration starts
successfully.
> 
> Is this expected?
No -- but I suspect that I''ve solved that one in my other commits to
the
master branch. Let''s hold off on that until the next Beta, if you
don''t
mind.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On Tuesday 21 December 2010 00:56:59 Tom Eastep wrote:
> No -- but I suspect that I''ve solved that one in my other commits
to the
> master branch. Let''s hold off on that until the next Beta, if you
don''t
> mind.
>
> Thanks,
> -Tom
Tom

No problem, it''s only a test config.

Steven.

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/20/10 5:01 PM, Steven Jan Springl wrote:
> On Tuesday 21 December 2010 00:56:59 Tom Eastep wrote:
> 
>> No -- but I suspect that I''ve solved that one in my other
commits to the
>> master branch. Let''s hold off on that until the next Beta, if
you don''t
>> mind.
>>
>> Thanks,
>> -Tom
> 
> Tom
> 
> No problem, it''s only a test config.
One other question -- do you have an interface called ppp1 and is it in
the started state?

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On 12/20/10 6:09 PM, Tom Eastep wrote:
> On 12/20/10 5:01 PM, Steven Jan Springl wrote:
>> On Tuesday 21 December 2010 00:56:59 Tom Eastep wrote:
>>
>>> No -- but I suspect that I''ve solved that one in my other
commits to the
>>> master branch. Let''s hold off on that until the next Beta,
if you don''t
>>> mind.
>>>
>>> Thanks,
>>> -Tom
>>
>> Tom
>>
>> No problem, it''s only a test config.
> 
> One other question -- do you have an interface called ppp1 and is it in
> the started state?
I''m guessing so -- I have confirmed that with my current tree, the
error
message that you are seeing cannot be generated by the script produced
with ppp1 replaced by ppp+.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d

On Tuesday 21 December 2010 02:09:12 Tom Eastep wrote:
> On 12/20/10 5:01 PM, Steven Jan Springl wrote:
> > On Tuesday 21 December 2010 00:56:59 Tom Eastep wrote:
> >> No -- but I suspect that I''ve solved that one in my other
commits to the
> >> master branch. Let''s hold off on that until the next
Beta, if you don''t
> >> mind.
> >>
> >> Thanks,
> >> -Tom
> >
> > Tom
> >
> > No problem, it''s only a test config.
>
> One other question -- do you have an interface called ppp1 and is it in
> the started state?
>
> Thanks,
> -Tom
Tom

No, ppp1 does not exist.

Steven.

------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

On 12/21/2010 08:01 AM, Steven Jan Springl wrote:
> No, ppp1 does not exist.
Thanks -- I realized after I sent the post this morning that you
probably did not have ppp1.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

Tom

In the attached minimal config, action F2 calls itself, which results in 
the "Optimizing ruleset" phase going into an endless loop.

Steven.


------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

On 12/21/10 12:37 PM, Steven Jan Springl wrote:
> Tom
> 
> In the attached minimal config, action F2 calls itself, which results in 
> the "Optimizing ruleset" phase going into an endless loop.
This fixes it.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

On Tuesday 21 December 2010 21:19:29 Tom Eastep wrote:
> On 12/21/10 12:37 PM, Steven Jan Springl wrote:
> > Tom
> >
> > In the attached minimal config, action F2 calls itself, which results
in
> > the "Optimizing ruleset" phase going into an endless loop.
>
> This fixes it.
>
> Thanks Steven,
> -Tom
Tom

Confirmed, it works here too. Thanks.

Steven.

------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

On Tuesday 21 December 2010 21:19:29 Tom Eastep wrote:
> On 12/21/10 12:37 PM, Steven Jan Springl wrote:
> > Tom
> >
> > In the attached minimal config, action F2 calls itself, which results
in
> > the "Optimizing ruleset" phase going into an endless loop.
>
> This fixes it.
>
> Thanks Steven,
> -Tom
Tom

If action F2 contains an additional line eg:

REDIRECT
F2

then the "Optimizing ruleset" phase goes into an endless loop again.

Steven.

------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

On 12/21/10 2:53 PM, Steven Jan Springl wrote:
> On Tuesday 21 December 2010 21:19:29 Tom Eastep wrote:
>> On 12/21/10 12:37 PM, Steven Jan Springl wrote:
>>> Tom
>>>
>>> In the attached minimal config, action F2 calls itself, which
results in
>>> the "Optimizing ruleset" phase going into an endless
loop.
>>
>> This fixes it.
>>
>> Thanks Steven,
>> -Tom
> 
> Tom
> 
> If action F2 contains an additional line eg:
> 
> REDIRECT
> F2
> 
> then the "Optimizing ruleset" phase goes into an endless loop
again.
I suspect that is due to the bug I just found in the last fix. Please
try this patch.

Thanks, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

On Tuesday 21 December 2010 23:31:51 Tom Eastep wrote:
> I suspect that is due to the bug I just found in the last fix. Please
> try this patch.
>
> Thanks, Steven
> -Tom

Tom

The second hunk of the patch does not apply.

Rules.pm contains

$targets{$action} = ACTION;

The patch contains:

$targets{$action} |= ACTION;

Steven.

------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

On 12/21/10 5:18 PM, Steven Jan Springl wrote:
> On Tuesday 21 December 2010 23:31:51 Tom Eastep wrote:
> 
>> I suspect that is due to the bug I just found in the last fix. Please
>> try this patch.
>>
>> Thanks, Steven
>> -Tom
> 
> 
> Tom
> 
> The second hunk of the patch does not apply.
> 
> Rules.pm contains
> 
> $targets{$action} = ACTION;
> 
> The patch contains:
> 
> $targets{$action} |= ACTION;
We''re clearly out of sync. I''ll release Beta 6 tomorrow.

Thanks for your help, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

On 12/21/10 5:47 PM, Tom Eastep wrote:
> On 12/21/10 5:18 PM, Steven Jan Springl wrote:
>> On Tuesday 21 December 2010 23:31:51 Tom Eastep wrote:
>>
>>> I suspect that is due to the bug I just found in the last fix.
Please
>>> try this patch.
>>>
>>> Thanks, Steven
>>> -Tom
>>
>>
>> Tom
>>
>> The second hunk of the patch does not apply.
>>
>> Rules.pm contains
>>
>> $targets{$action} = ACTION;
>>
>> The patch contains:
>>
>> $targets{$action} |= ACTION;
> 
> We''re clearly out of sync. I''ll release Beta 6 tomorrow.
> 
Beta 6 is available at
http://ipv6.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.16-Beta6/

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that''s accessible from
your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew

On Tuesday 21 December 2010 00:56:59 Tom Eastep wrote:
> On 12/20/10 4:42 PM, Steven Jan Springl wrote:
> > Tom
> >
> > The attached minimal configuration starts successfully.
> >
> > If the interface entry for zone tst is changed from ppp1 to ppp+ the
> > following message is produced:
> >
> > ERROR: Unable to determine the routes through interface
"ppp1": Firewall
> > state not changed
> >
> > If the entry in notrack is removed then the configuration starts
> > successfully.
> >
> > Is this expected?
>
> No -- but I suspect that I''ve solved that one in my other commits
to the
> master branch. Let''s hold off on that until the next Beta, if you
don''t
> mind.
>
> Thanks,
> -Tom
Tom

This is fixed Beta 6. Thanks.

Steven.

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On Tuesday 21 December 2010 23:31:51 Tom Eastep wrote:
> On 12/21/10 2:53 PM, Steven Jan Springl wrote:
> > On Tuesday 21 December 2010 21:19:29 Tom Eastep wrote:
> >> On 12/21/10 12:37 PM, Steven Jan Springl wrote:
> >>> Tom
> >>>
> >>> In the attached minimal config, action F2 calls itself, which
results
> >>> in the "Optimizing ruleset" phase going into an
endless loop.
> >>
> >> This fixes it.
> >>
> >> Thanks Steven,
> >> -Tom
> >
> > Tom
> >
> > If action F2 contains an additional line eg:
> >
> > REDIRECT
> > F2
> >
> > then the "Optimizing ruleset" phase goes into an endless
loop again.
>
> I suspect that is due to the bug I just found in the last fix. Please
> try this patch.
>
> Thanks, Steven
> -Tom
Tom

This is also fixed in Beta 6. Thanks.

Steven.

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

On 12/22/10 3:49 PM, Steven Jan Springl wrote:
> 
> This is also fixed in Beta 6. Thanks.
> 
Thanks, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl