Shorewall devel - Feb 2011 - Shorewall 4.4.18 Beta 1

Beta 1 is now ready for testing.

----------------------------------------------------------------------------
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

None.

----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  On systems running Upstart, shorewall-init cannot reliably secure
    the firewall before interfaces are brought up.

----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------

1)  The modules files are now just a driver that INCLUDE several new
    files and one old file:

    - /usr/share/shorewall[6]/modules.essential  # Essential modules
    - /usr/share/shorewall[6]/modules.xtables    # xt_ modules
    - /usr/share/shorewall[6]/helpers            # Existing file
    - /usr/share/shorewall/ipset                 # ipset modules
    - /usr/share/shorewall[6]/modules.tc         # Traffic Shaping
    - /usr/share/shorewall[6]/modules.extensions # Other extensions

    This should make it easier to configure your own
    /etc/shorewall[6]/modules file that won''t be obsolete when you
    upgrade your Shorewall/Shorewall6 installation.

    For example, if you don''t use traffic shaping or ipsets, you can
    remove those from your modules file.

2)  Traditionally, the root of the Shorewall accounting rules has been
    the ''accounting'' chain. Having a single root chain has
drawbacks:

    - Many rules are traversed needlessly (they could not possibly
      match traffic).
    - At any time, the Netfilter team could begin generating errors
      when loading those same rules.
    - MAC addresses may not be used in the accounting rules.
    - The ''accounting'' chain cannot be optimized when
      OPTIMIZE_ACCOUNTING=Yes.
    - The rules may be defined in any order so the rules compiler must
      post-process the ruleset to ensure that there are no loops and to
      alert the user to unreferenced chains.

    Beginning with Shorewall 4.4.18, the accounting structure can be
    created with three root chains:

    - accountin:  Rules that are valid in the INPUT chain (may not
      specify an output interface).
    - accountout: Rules that are valid in the OUTPUT chain (may not
      specify an input interface or a MAC address).
    - accounting: Other rules.

    The new structure is enabled by sectioning the accounting file in a
    manner similar to the rules file.

    The sections are INPUT, OUTPUT and FORWARD and must appear in that
    order (although any of them may be omitted). The first
    non-commentary record in the accounting file must be a section
    header when sectioning is used.

    When sections are enabled:

    - You must jump to a user-defined accounting chain before you can
      add rules to that chain. This eliminates loops and unreferenced
      chains.
    - You may not specify an output interface in the INPUT section.
    - In the OUTPUT section:
      - You may not specify an input interface
      - You may not jump to a chain defined in the INPUT section that
        specifies an input interface
      - You may not specify a MAC address
      - You may not jump to a chain defined in the INPUT section that
        specifies specifies a MAC address.
    - The default value of the CHAIN column is:
      - ''accountin'' in the INPUT section
      - ''accountout'' in the OUTPUT section
      - ''accounting'' in the FORWARD section
    - Traffic addressed to the firewall goes through the rules defined
      in the INPUT section.
    - Traffic originating on the firewall goes through the rules
      defined in the OUTPUT section.
    - Traffic being forwarded through the firewall goes through the
      rules from all three sections.

Thank you for testing,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

When the accounting file contains:

SECTION FORWARD
ACCOUNT(net2lan,192.168.0.0/24)  -  -  eth1

The following error messages are produced:

iptables v1.4.10: Can''t use -o with INPUT

ERROR: Command "/usr/local/sbin/iptables -A INPUT -o eth1 -j ACCOUNT --addr
192.168.0.0/24 --tname new2lan" Failed

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/13/11 6:34 AM, Steven Jan Springl wrote:
> When the accounting file contains:
> 
> SECTION FORWARD
> ACCOUNT(net2lan,192.168.0.0/24)  -  -  eth1
> 
> The following error messages are produced:
> 
> iptables v1.4.10: Can''t use -o with INPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A INPUT -o eth1 -j ACCOUNT
--addr
> 192.168.0.0/24 --tname new2lan" Failed
> 
The attached patch should fix you up.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Sunday 13 February 2011 16:17:11 Tom Eastep wrote:
new2lan" Failed
>
> The attached patch should fix you up.
>
> Thanks, Steven
>
> -Tom
Tom

I can confirm the patch fixes the problem. Thanks.

Steven.


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/13/11 11:23 AM, Steven Jan Springl wrote:
> I can confirm the patch fixes the problem. Thanks.
Thanks, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

Accounting rules:

SECTION INPUT
test
SECTION FORWARD
ACCOUNT(net2lan,192.168.0.0/24)  test  eth0  eth1

produce the following error messages:

iptables v1.4.10: Can''t use -o with INPUT

ERROR: Command "/usr/local/sbin/iptables -A INPUT -i eth0 -o eth1 -j 
ACCOUNT --addr 192.168.0.0/24 --tname new2lan" Failed

---------------------------------------------------------------------------------------------------------

Similarly accounting rules:

SECTION OUTPUT
test
SECTION FORWARD
ACCOUNT(net2lan,192.168.0.0/24)  test  eth0  eth1

produce the following error messages:

iptables v1.4.10: Can''t use -i with OUTPUT

ERROR: Command "/usr/local/sbin/iptables -A OUTPUT -i eth0 -o eth1 -j 
ACCOUNT --addr 192.168.0.0/24 --tname new2lan" Failed

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/13/11 12:36 PM, Steven Jan Springl wrote:
> Accounting rules:
> 
> SECTION INPUT
> test
> SECTION FORWARD
> ACCOUNT(net2lan,192.168.0.0/24)  test  eth0  eth1
> 
> produce the following error messages:
> 
> iptables v1.4.10: Can''t use -o with INPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A INPUT -i eth0 -o eth1 -j 
> ACCOUNT --addr 192.168.0.0/24 --tname new2lan" Failed
> 
>
---------------------------------------------------------------------------------------------------------
> 
> Similarly accounting rules:
> 
> SECTION OUTPUT
> test
> SECTION FORWARD
> ACCOUNT(net2lan,192.168.0.0/24)  test  eth0  eth1
> 
> produce the following error messages:
> 
> iptables v1.4.10: Can''t use -i with OUTPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A OUTPUT -i eth0 -o eth1 -j 
> ACCOUNT --addr 192.168.0.0/24 --tname new2lan" Failed
The attached patch corrects both issues.

Thanks, Steven!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Sunday 13 February 2011 22:31:10 Tom Eastep wrote:
>
> The attached patch corrects both issues.
>
> Thanks, Steven!
>
> -Tom
Tom

The patch to accounting.pm does not apply.

The patch refers to line:

fatal_error "Chain $chain jumps to itself" if $chainref eq
$jumpchainref;

This line is not in my copy of accounting.pm

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/13/11 3:01 PM, Steven Jan Springl wrote:
> On Sunday 13 February 2011 22:31:10 Tom Eastep wrote:
> The patch to accounting.pm does not apply.
> 
> The patch refers to line:
> 
> fatal_error "Chain $chain jumps to itself" if $chainref eq
$jumpchainref;
> 
> This line is not in my copy of accounting.pm
Sorry. You need commit b1abb3f554dc0438c8d11681a32ee101fae660cd.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Sunday 13 February 2011 23:06:28 Tom Eastep wrote:
> On 2/13/11 3:01 PM, Steven Jan Springl wrote:
> > On Sunday 13 February 2011 22:31:10 Tom Eastep wrote:
> >
> > The patch to accounting.pm does not apply.
> >
> > The patch refers to line:
> >
> > fatal_error "Chain $chain jumps to itself" if $chainref eq
$jumpchainref;
> >
> > This line is not in my copy of accounting.pm
>
> Sorry. You need commit b1abb3f554dc0438c8d11681a32ee101fae660cd.
>
> -Tom
Tom

The patch has now applied and I can confirm the original issue is now fixed. 
Thanks.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/13/11 3:22 PM, Steven Jan Springl wrote:
> 
> The patch has now applied and I can confirm the original issue is now
fixed.
> Thanks.
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

When the accounting file contains:

SECTION INPUT
test
test2  test
SECTION OUTPUT
test  test2

The following error messages are produced:

iptables v1.4.10: Couldn''t load target 
`test2'':/usr/local/libexec/xtables/libipt_test2.so: cannot open shared
object
file: No such file or directory

ERROR: Command "/usr/local/sbin/iptables -A INPUT -j test2" Failed

-------------------------------------------------------------------------------------------------------

When the accounting file contains:

SECTION INPUT
test
test2  test
SECTION OUTPUT
test  test2
SECTION FORWARD
ACCOUNT(net2lan,192.168.0.0/24)  test

The following error messages are produced:

iptables: Too many levels of symbolic links.
ERROR: Command "/usr/local/sbin/iptables -A test -j test" Failed

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/13/11 3:56 PM, Steven Jan Springl wrote:
> When the accounting file contains:
> 
> SECTION INPUT
> test
> test2  test
> SECTION OUTPUT
> test  test2
> 
> The following error messages are produced:
> 
> iptables v1.4.10: Couldn''t load target 
> `test2'':/usr/local/libexec/xtables/libipt_test2.so: cannot open
shared object
> file: No such file or directory
> 
> ERROR: Command "/usr/local/sbin/iptables -A INPUT -j test2"
Failed
> 
>
-------------------------------------------------------------------------------------------------------
> 
> When the accounting file contains:
> 
> SECTION INPUT
> test
> test2  test
> SECTION OUTPUT
> test  test2
> SECTION FORWARD
> ACCOUNT(net2lan,192.168.0.0/24)  test
> 
> The following error messages are produced:
> 
> iptables: Too many levels of symbolic links.
> ERROR: Command "/usr/local/sbin/iptables -A test -j test" Failed
You''re right -- my removal of loop detection for sectioned accounting
rules was the result of a brain cramp.

I''ve restored that logic in the attached patch.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Monday 14 February 2011 00:34:44 Tom Eastep wrote:
>
> You''re right -- my removal of loop detection for sectioned
accounting
> rules was the result of a brain cramp.
>
> I''ve restored that logic in the attached patch.
>
> Thanks, Steven
>
> -Tom
Tom

I can confirm the patch fixes the problem. Thanks.

Steven.



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/14/11 8:45 AM, Steven Jan Springl wrote:
> I can confirm the patch fixes the problem. Thanks.
Thanks Steven.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

When accounting contains:

COMMENT Hello world
SECTION INPUT
test
test2  test

The following errors are produced:

iptables v1.4.10: Couldn''t load target 
`test2'':/usr/local/libexec/xtables/libipt_test2.so: cannot open shared
object
file: No such file or directory

ERROR: Command "/usr/local/sbin/iptables -A INPUT -j test2 -m 
comment --comment "Hello world" -m comment --comment "Hello
world"" Failed

Note, if the COMMENT line is removed the error does not occur.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/14/11 9:12 AM, Steven Jan Springl wrote:
> COMMENT Hello world
> SECTION INPUT
> test
> test2  test
While my biggest blunder with Shorewall was allowing an interface name
in the SOURCE column of the masq file, implementing OPTIMIZE_ACCOUNTING
runs a close second.

I''ll have to look at that later but, in the meantime, please apply and
test with commit 9e361e93e3373ae81837c01145eb5e2eef74809.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/14/11 9:12 AM, Steven Jan Springl wrote:
> When accounting contains:
> 
> COMMENT Hello world
> SECTION INPUT
> test
> test2  test
> 
> The following errors are produced:
> 
> iptables v1.4.10: Couldn''t load target 
> `test2'':/usr/local/libexec/xtables/libipt_test2.so: cannot open
shared object
> file: No such file or directory
> 
> ERROR: Command "/usr/local/sbin/iptables -A INPUT -j test2 -m 
> comment --comment "Hello world" -m comment --comment "Hello
world"" Failed
> 
> Note, if the COMMENT line is removed the error does not occur.
This one-liner seems to remove the bug.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Monday 14 February 2011 17:38:38 Tom Eastep wrote:
> On 2/14/11 9:12 AM, Steven Jan Springl wrote:
> > COMMENT Hello world
> > SECTION INPUT
> > test
> > test2  test
>
> While my biggest blunder with Shorewall was allowing an interface name
> in the SOURCE column of the masq file, implementing OPTIMIZE_ACCOUNTING
> runs a close second.
>
> I''ll have to look at that later but, in the meantime, please apply
and
> test with commit 9e361e93e3373ae81837c01145eb5e2eef74809.
>
> Thanks, Steven
>
> -Tom
Tom

I have tried a few things and all seems okay. However if the accounting file 
contains a record with a netfilter target in the action column ie:

MARK

then the following error mesage is produced:

ERROR: Internal error in Shorewall::Chains::new_chain 
at /usr/share/shorewall/Shorewall/Chains.pm line 
1111 : /etc/shorewallER/accounting (line 26)

After backing out the above patch, the error still occurs.

I have re-applied the patch and will continue testing. 

Steven. 


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/14/11 10:39 AM, Steven Jan Springl wrote:
> However if the accounting file contains a record with a netfilter
> target in the action column ie:
> 
> MARK
> 
> then the following error mesage is produced:
> 
> ERROR: Internal error in Shorewall::Chains::new_chain at
> /usr/share/shorewall/Shorewall/Chains.pm line 1111 :
> /etc/shorewallER/accounting (line 26)
I could have sworn that I fixed that previously but here it is again.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Monday 14 February 2011 17:59:35 Tom Eastep wrote:
> On 2/14/11 9:12 AM, Steven Jan Springl wrote:
> > When accounting contains:
> >
> > COMMENT Hello world
> > SECTION INPUT
> > test
> > test2  test
> >
> > The following errors are produced:
> >
> > iptables v1.4.10: Couldn''t load target
> > `test2'':/usr/local/libexec/xtables/libipt_test2.so: cannot
open shared
> > object file: No such file or directory
> >
> > ERROR: Command "/usr/local/sbin/iptables -A INPUT -j test2 -m
> > comment --comment "Hello world" -m comment --comment
"Hello world""
> > Failed
> >
> > Note, if the COMMENT line is removed the error does not occur.
>
> This one-liner seems to remove the bug.
>
> Thanks, Steven
>
> -Tom
Tom

I can confirm that the patch fixes the problem. Thanks.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Monday 14 February 2011 18:53:35 Tom Eastep wrote:
> On 2/14/11 10:39 AM, Steven Jan Springl wrote:
> > However if the accounting file contains a record with a netfilter
> > target in the action column ie:
> >
> > MARK
> >
> > then the following error mesage is produced:
> >
> > ERROR: Internal error in Shorewall::Chains::new_chain at
> > /usr/share/shorewall/Shorewall/Chains.pm line 1111 :
> > /etc/shorewallER/accounting (line 26)
>
> I could have sworn that I fixed that previously but here it is again.
>
> Thanks, Steven
>
> -Tom
Tom

That''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/14/11 11:58 AM, Steven Jan Springl wrote:
> That''s fixed it. Thanks.
Thanks for the confirmation, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

Accounting rules:

SECTION FORWARD
ACCOUNT(net2lan,192.168.0.0/24)  reject

produces the following message:

Use of uninitialized value in bitwise or (|) 
at /usr/share/shorewall/Shorewall/Accounting.pm line 278, <$currentfile>
line
21.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/14/11 12:32 PM, Steven Jan Springl wrote:
> Accounting rules:
> 
> SECTION FORWARD
> ACCOUNT(net2lan,192.168.0.0/24)  reject
> 
> produces the following message:
> 
> Use of uninitialized value in bitwise or (|) 
> at /usr/share/shorewall/Shorewall/Accounting.pm line 278,
<$currentfile> line
> 21.
Good catch, Steven

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Monday 14 February 2011 20:47:24 Tom Eastep wrote:
> On 2/14/11 12:32 PM, Steven Jan Springl wrote:
> > Accounting rules:
> >
> > SECTION FORWARD
> > ACCOUNT(net2lan,192.168.0.0/24)  reject
> >
> > produces the following message:
> >
> > Use of uninitialized value in bitwise or (|)
> > at /usr/share/shorewall/Shorewall/Accounting.pm line 278,
<$currentfile>
> > line 21.
>
> Good catch, Steven
>
> Thanks,
> -Tom
Tom

That''s fixed it. Thanks

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/14/11 1:36 PM, Steven Jan Springl wrote:
> That''s fixed it. Thanks
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/14/11 9:59 AM, Tom Eastep wrote:
> 
> This one-liner seems to remove the bug.
> 
Unfortunately, there was a bug in the one-liner.  Fix attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Tuesday 15 February 2011 00:04:57 Tom Eastep wrote:
> On 2/14/11 9:59 AM, Tom Eastep wrote:
> > This one-liner seems to remove the bug.
>
> Unfortunately, there was a bug in the one-liner.  Fix attached.
>
> -Tom
Tom

Thanks, that fixed an issue I was havng with an unreferenced iptables chain.

However, by adding another couple of entries to the accounting rules I have 
managed to create a similar problem.

Using the following accounting rules, Shorewall generates an iptables chain 
test4 that is unreferenced.

SECTION INPUT
test
test2:COUNT  test
test3:COUNT  test2
test4:COUNT  test3
ACCOUNT(net2lan,192.168.0.0/24)  test4

A copy of the config. is attached.

Steven.



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/15/11 2:07 PM, Steven Jan Springl wrote:
> 
> A copy of the config. is attached.
> 
Steven,

Can you please send me a copy without ACLs?

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/15/11 3:05 PM, Tom Eastep wrote:
> On 2/15/11 2:07 PM, Steven Jan Springl wrote:
> 
>>
>> A copy of the config. is attached.
>>
> 
> Steven,
> 
> Can you please send me a copy without ACLs?
Please disregard -- I just copied the files to another directory and can
now continue my analysis.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/15/11 2:07 PM, Steven Jan Springl wrote:
> However, by adding another couple of entries to the accounting rules I have
> managed to create a similar problem.
> 
> Using the following accounting rules, Shorewall generates an iptables chain
> test4 that is unreferenced.
> 
> SECTION INPUT
> test
> test2:COUNT  test
> test3:COUNT  test2
> test4:COUNT  test3
> ACCOUNT(net2lan,192.168.0.0/24)  test4
> 
> A copy of the config. is attached.
I''ve pushed b03e3b94ef5a54fc2d658ef355c543d4241005a6 which fixes some
optimization problems (one hunk I think you already have). But I still
haven''t identified the root cause of the issue you have raised.
I''ll
work on it again tomorrow.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/15/11 8:00 PM, Tom Eastep wrote:
>>
>> Using the following accounting rules, Shorewall generates an iptables
chain
>> test4 that is unreferenced.
>>
>> SECTION INPUT
>> test
>> test2:COUNT  test
>> test3:COUNT  test2
>> test4:COUNT  test3
>> ACCOUNT(net2lan,192.168.0.0/24)  test4
>>
>> A copy of the config. is attached.
> 
> I''ve pushed b03e3b94ef5a54fc2d658ef355c543d4241005a6 which fixes
some
> optimization problems (one hunk I think you already have). But I still
> haven''t identified the root cause of the issue you have raised.
I''ll
> work on it again tomorrow.
Here is a patch to be applied after the one mentioned above. It fixes
the problem that you have described but I''m not yet convinced that the
fix is complete.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Wednesday 16 February 2011 18:18:46 Tom Eastep wrote:
> On 2/15/11 8:00 PM, Tom Eastep wrote:
> >> Using the following accounting rules, Shorewall generates an
iptables
> >> chain test4 that is unreferenced.
> >>
> >> SECTION INPUT
> >> test
> >> test2:COUNT  test
> >> test3:COUNT  test2
> >> test4:COUNT  test3
> >> ACCOUNT(net2lan,192.168.0.0/24)  test4
> >>
> >> A copy of the config. is attached.
> >
> > I''ve pushed b03e3b94ef5a54fc2d658ef355c543d4241005a6 which
fixes some
> > optimization problems (one hunk I think you already have). But I still
> > haven''t identified the root cause of the issue you have
raised. I''ll
> > work on it again tomorrow.
>
> Here is a patch to be applied after the one mentioned above. It fixes
> the problem that you have described but I''m not yet convinced that
the
> fix is complete.
>
> -Tom
Tom

Confirmed, the patches fix the issue. Thanks.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/16/11 11:42 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patches fix the issue. Thanks.
> 
Thanks for the confirmation, Steven

I think that I have now convinced myself that the last patch was
complete, after all.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

When the accounting file contains:

SECTION INPUT
DONE

The first rule in the INPUT chain is:

-A INPUT -j RETURN

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/16/11 12:59 PM, Steven Jan Springl wrote:
> Tom
> 
> When the accounting file contains:
> 
> SECTION INPUT
> DONE
> 
> The first rule in the INPUT chain is:
> 
> -A INPUT -j RETURN
Another good catch, Steven.

Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Wednesday 16 February 2011 21:14:50 Tom Eastep wrote:
> On 2/16/11 12:59 PM, Steven Jan Springl wrote:
> > Tom
> >
> > When the accounting file contains:
> >
> > SECTION INPUT
> > DONE
> >
> > The first rule in the INPUT chain is:
> >
> > -A INPUT -j RETURN
>
> Another good catch, Steven.
>
> Patch attached.
>
> -Tom
Tom

Confirmed, that''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

Accounting rules:

SECTION INPUT
DONE
SECTION FORWARD
DONE

Produces the following error message:

Can''t use an undefined value as an ARRAY reference 
at /usr/share/shorewall/Shorewall/Chains.pm line 862.

Steven.



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/16/11 2:21 PM, Steven Jan Springl wrote:
> Accounting rules:
> 
> SECTION INPUT
> DONE
> SECTION FORWARD
> DONE
> 
> Produces the following error message:
> 
> Can''t use an undefined value as an ARRAY reference 
> at /usr/share/shorewall/Shorewall/Chains.pm line 862.
I can''t reproduce that with my tree. Please merge up the last three
commits at Sourceforge and see of the problem is resolved for you as well.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/16/11 4:19 PM, Tom Eastep wrote:
> 
> I can''t reproduce that with my tree. Please merge up the last
three
> commits at Sourceforge and see of the problem is resolved for you as well.
> 
I''ve just uploaded Beta2 to make your job easier.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Thursday 17 February 2011 04:14:42 Tom Eastep wrote:
> On 2/16/11 4:19 PM, Tom Eastep wrote:
> > I can''t reproduce that with my tree. Please merge up the last
three
> > commits at Sourceforge and see of the problem is resolved for you as
> > well.
>
> I''ve just uploaded Beta2 to make your job easier.
>
> -Tom
Tom

Thanks for Beta2. Unfortunately the problem still occurs.
The line number of the error has changed:

Can''t use an undefined value as an ARRAY reference 
at /usr/share/shorewall/Shorewall/Chains.pm line 839.

I have attached my config.

Steven.


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/17/11 9:40 AM, Steven Jan Springl wrote:
> On Thursday 17 February 2011 04:14:42 Tom Eastep wrote:
>> On 2/16/11 4:19 PM, Tom Eastep wrote:
>>> I can''t reproduce that with my tree. Please merge up the
last three
>>> commits at Sourceforge and see of the problem is resolved for you
as
>>> well.
>>
>> I''ve just uploaded Beta2 to make your job easier.
>>
>> -Tom
Thanks Steven

Don''t know what I did wrong. The problem was not the second DONE but
rather the presence of DONE in the FORWARD section. The attached
one-liner seems to correct it.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Thursday 17 February 2011 18:46:18 Tom Eastep wrote:
> On 2/17/11 9:40 AM, Steven Jan Springl wrote:
> > On Thursday 17 February 2011 04:14:42 Tom Eastep wrote:
> >> On 2/16/11 4:19 PM, Tom Eastep wrote:
> >>> I can''t reproduce that with my tree. Please merge up
the last three
> >>> commits at Sourceforge and see of the problem is resolved for
you as
> >>> well.
> >>
> >> I''ve just uploaded Beta2 to make your job easier.
> >>
> >> -Tom
>
> Thanks Steven
>
> Don''t know what I did wrong. The problem was not the second DONE
but
> rather the presence of DONE in the FORWARD section. The attached
> one-liner seems to correct it.
>
> -Tom
Tom

Confirmed, the patch fixes the problem. Thanks.

Steven.


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/17/11 11:31 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the problem. Thanks.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

When the accounting file contains:

excl0
DONE  -  1.1.1.0/24!1.1.1.1

The following error message is produced:

ERROR: Internal error in Shorewall::Chains::new_chain 
at /usr/share/shorewall/Shorewall/Chains.pm line 
1127 : /etc/shorewallA/accounting (line 14)

I have attached my config.

Steven.


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/17/11 1:32 PM, Steven Jan Springl wrote:
> Tom
> 
> When the accounting file contains:
> 
> excl0
> DONE  -  1.1.1.0/24!1.1.1.1
> 
> The following error message is produced:
> 
> ERROR: Internal error in Shorewall::Chains::new_chain 
> at /usr/share/shorewall/Shorewall/Chains.pm line 
> 1127 : /etc/shorewallA/accounting (line 14)
> 
Steven,

Here is a rather ham-handed fix. Only the last hunk is relevant to your
problem but the rest will keep our trees synced.

Thanks!
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/17/11 2:51 PM, Tom Eastep wrote:
> Here is a rather ham-handed fix. Only the last hunk is relevant to your
> problem but the rest will keep our trees synced.
And this patch anticipates your next bug report :-)

Thanks again, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Thursday 17 February 2011 22:51:49 Tom Eastep wrote:
> On 2/17/11 1:32 PM, Steven Jan Springl wrote:
> > Tom
> >
> > When the accounting file contains:
> >
> > excl0
> > DONE  -  1.1.1.0/24!1.1.1.1
> >
> > The following error message is produced:
> >
> > ERROR: Internal error in Shorewall::Chains::new_chain
> > at /usr/share/shorewall/Shorewall/Chains.pm line
> > 1127 : /etc/shorewallA/accounting (line 14)
>
> Steven,
>
> Here is a rather ham-handed fix. Only the last hunk is relevant to your
> problem but the rest will keep our trees synced.
>
> Thanks!
> -Tom
Tom

That''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

If you code the name of a file from the shorewall directory in the ACTION 
column of the accounting file eg:

interfaces

Numerous messages are produced.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/17/11 3:58 PM, Steven Jan Springl wrote:
> If you code the name of a file from the shorewall directory in the ACTION 
> column of the accounting file eg:
> 
> interfaces
> 
> Numerous messages are produced.
Steven,

The attached typing test makes it an error to use these names as an
accounting chain.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/17/11 4:29 PM, Tom Eastep wrote:
> On 2/17/11 3:58 PM, Steven Jan Springl wrote:
> 
>> If you code the name of a file from the shorewall directory in the
ACTION
>> column of the accounting file eg:
>>
>> interfaces
>>
>> Numerous messages are produced.
> 
> Steven,
> 
> The attached typing test makes it an error to use these names as an
> accounting chain.
May want to hold that one -- it has one fatal flaw :-)

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/17/11 4:41 PM, Tom Eastep wrote:
> On 2/17/11 4:29 PM, Tom Eastep wrote:
> 
> May want to hold that one -- it has one fatal flaw :-)
> 
But should be okay if you apply this one next.


Thanks again, Steven

-Tom (who should have run the regression suite before sending the last
patch).
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Friday 18 February 2011 00:49:28 Tom Eastep wrote:
> On 2/17/11 4:41 PM, Tom Eastep wrote:
> > On 2/17/11 4:29 PM, Tom Eastep wrote:
> >
> >
> > May want to hold that one -- it has one fatal flaw :-)
>
> But should be okay if you apply this one next.
>
>
> Thanks again, Steven
>
> -Tom (who should have run the regression suite before sending the last
> patch).
Tom

Confirmed, the patches have fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/18/11 11:13 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patches have fixed it. Thanks.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Thursday 17 February 2011 22:54:57 Tom Eastep wrote:
> On 2/17/11 2:51 PM, Tom Eastep wrote:
> > Here is a rather ham-handed fix. Only the last hunk is relevant to
your
> > problem but the rest will keep our trees synced.
>
> And this patch anticipates your next bug report :-)
>
> Thanks again, Steven
> -Tom
Tom

I am not sure how to trigger the bug with log rules. To trigger the exclusion 
bug I had to code:

excl0
DONE  -  1.1.1.0/24!1.1.1.1

If the lines were swapped around the bug did not occur.

If I code the following in the accounting file:

log0

I then need to generate a log rule that is processed by Shorewall after this.
As the rules file is processed before the accounting file, I can't use that.

Do you know of a way that I can accomplish this?

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Tom

Is it worth blocking rules file action names accountin, accounting & 
accountout?

If rules file action accountin is defined and the following is coded in the 
accounting file:

SECTION INPUT
COUNT

The following Shorewall message is produced?

ERROR: accountin is not an accounting chain : /etc/shorewallA/accounting (line 
14)

See the attached config. for an example.

Steven.



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

When the accounting file contains:

COUNT  -  ~11-22-33-44-55-66

The following messages are produced:

iptables: Invalid argument. Run `dmesg'' for more information.
ERROR: Command "/usr/local/sbin/iptables -A accounting --match 
mac --mac-source 11:22:33:44:55:66" Failed

dmesg produces:

ip_tables: mac match: used from hooks INPUT/FORWARD/OUTPUT, but only valid 
from PREROUTING/INPUT/FORWARD

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/18/11 12:48 PM, Steven Jan Springl wrote:
> On Thursday 17 February 2011 22:54:57 Tom Eastep wrote:
> Do you know of a way that I can accomplish this?
Doesn''t appear to be possible.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

When the accounting file contains:

SECTION INPUT
COUNT -  -  -  -  -  -  root

The following messages are produced:

iptables: Invalid argument. Run `dmesg'' for more information.

ERROR: Command "/usr/local/sbin/iptables -A accountin -m owner --uid-owner 
root" Failed

dmesg produces:

ip_tables: owner match: used from hooks INPUT, but only valid from 
OUTPUT/POSTROUTING

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/18/11 3:52 PM, Steven Jan Springl wrote:
> When the accounting file contains:
> 
> SECTION INPUT
> COUNT -  -  -  -  -  -  root
> 
> The following messages are produced:
> 
> iptables: Invalid argument. Run `dmesg'' for more information.
> 
> ERROR: Command "/usr/local/sbin/iptables -A accountin -m owner
--uid-owner
> root" Failed
> 
> dmesg produces:
> 
> ip_tables: owner match: used from hooks INPUT, but only valid from 
> OUTPUT/POSTROUTING
> 
Steven,

The attached should correct this problem as well as the one with a MAC
address.

Thanks Steve,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/18/11 2:42 PM, Steven Jan Springl wrote:
> Tom
> 
> Is it worth blocking rules file action names accountin, accounting & 
> accountout?
> 
> If rules file action accountin is defined and the following is coded in the
> accounting file:
> 
> SECTION INPUT
> COUNT
> 
> The following Shorewall message is produced?
> 
> ERROR: accountin is not an accounting chain : /etc/shorewallA/accounting
(line
> 14)
> 
The attached patch should improve things.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/18/11 5:41 PM, Tom Eastep wrote:
> 
> The attached patch should improve things.
> 
And I''ve improved the error message in my tree.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Saturday 19 February 2011 01:41:43 Tom Eastep wrote:
> On 2/18/11 2:42 PM, Steven Jan Springl wrote:
> > Tom
> >
> > Is it worth blocking rules file action names accountin, accounting
&
> > accountout?
> >
> > If rules file action accountin is defined and the following is coded
in
> > the accounting file:
> >
> > SECTION INPUT
> > COUNT
> >
> > The following Shorewall message is produced?
> >
> > ERROR: accountin is not an accounting chain :
/etc/shorewallA/accounting
> > (line 14)
>
> The attached patch should improve things.
>
> Thanks Steven,
> -Tom
Tom

That''s fixed it. thanks.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Saturday 19 February 2011 00:38:09 Tom Eastep wrote:
> On 2/18/11 3:52 PM, Steven Jan Springl wrote:
> > When the accounting file contains:
> >
> > SECTION INPUT
> > COUNT -  -  -  -  -  -  root
> >
> > The following messages are produced:
> >
> > iptables: Invalid argument. Run `dmesg'' for more information.
> >
> > ERROR: Command "/usr/local/sbin/iptables -A accountin -m owner
> > --uid-owner root" Failed
> >
> > dmesg produces:
> >
> > ip_tables: owner match: used from hooks INPUT, but only valid from
> > OUTPUT/POSTROUTING
>
> Steven,
>
> The attached should correct this problem as well as the one with a MAC
> address.
>
> Thanks Steve,
> -Tom
Tom

The patch fixes the MAC address issue.

The patch fixes the above ''owner'' issue. However, if the
SECTION INPUT line is
removed the error still occurs.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

When the accounting file contains:

COUNT  -  -  -  -  -  -  -  0/

The following error messages are produced:

iptables v1.4.10: mark: Bad value for "--mark" option: "0/"

ERROR: Command "/usr/local/sbin/iptables -A accounting -m mark --mark
0/"
Failed

-----------------------------------------------------------------------------------------------------------

When the accounting file contains:

COUNT  -  -  -  -  -  -  -  :C

The following error messages are produced:

iptables v1.4.10: connmark: Bad value for "--mark" option:
"/0xffff"

ERROR: Command "/usr/local/sbin/iptables -A accounting -m 
connmark --mark /0xffff" Failed

-----------------------------------------------------------------------------------------------------------

When the accounting file contains:

COUNT  -  -  -  -  -  -  -  !

The following error messages are produced:

iptables v1.4.10: mark: Bad value for "--mark" option:
"/0xffff"

ERROR: Command "/usr/local/sbin/iptables -A accounting -m 
mark ! --mark /0xffff" Failed

-----------------------------------------------------------------------------------------------------------

When the accounting file contains:

COUNT  -  -  -  -  -  -  -  !:C

The following error messages are produced:

iptables v1.4.10: connmark: Bad value for "--mark" option:
"/0xffff"

ERROR: Command "/usr/local/sbin/iptables -A accounting -m 
connmark ! --mark /0xffff" Failed

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/19/11 5:37 AM, Steven Jan Springl wrote:
> 
> The patch fixes the MAC address issue.
> 
> The patch fixes the above ''owner'' issue. However, if the
SECTION INPUT line is
> removed the error still occurs.
> 
Interesting -- Netfilter must be enforcing the restriction on -m owner
more tightly since I have several test cases from you in the regression
library that use owner match in the accounting file.

This patch prevents it from being used anywhere except in the OUTPUT
section.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/19/11 6:45 AM, Steven Jan Springl wrote:
> When the accounting file contains:
> 
> COUNT  -  -  -  -  -  -  -  0/
> 
> The following error messages are produced:
> 
> iptables v1.4.10: mark: Bad value for "--mark" option:
"0/"
> 
> ERROR: Command "/usr/local/sbin/iptables -A accounting -m mark --mark
0/"
> Failed
> 
>
-----------------------------------------------------------------------------------------------------------
> 
> When the accounting file contains:
> 
> COUNT  -  -  -  -  -  -  -  :C
> 
> The following error messages are produced:
> 
> iptables v1.4.10: connmark: Bad value for "--mark" option:
"/0xffff"
> 
> ERROR: Command "/usr/local/sbin/iptables -A accounting -m 
> connmark --mark /0xffff" Failed
> 
>
-----------------------------------------------------------------------------------------------------------
> 
> When the accounting file contains:
> 
> COUNT  -  -  -  -  -  -  -  !
> 
> The following error messages are produced:
> 
> iptables v1.4.10: mark: Bad value for "--mark" option:
"/0xffff"
> 
> ERROR: Command "/usr/local/sbin/iptables -A accounting -m 
> mark ! --mark /0xffff" Failed
> 
>
-----------------------------------------------------------------------------------------------------------
> 
> When the accounting file contains:
> 
> COUNT  -  -  -  -  -  -  -  !:C
> 
> The following error messages are produced:
> 
> iptables v1.4.10: connmark: Bad value for "--mark" option:
"/0xffff"
> 
> ERROR: Command "/usr/local/sbin/iptables -A accounting -m 
> connmark ! --mark /0xffff" Failed
> 
These issues are not restricted to the accounting file -- the same
parser is used for the MARK column in all files containing that column.

At any rate, the attached patch tightens the editing of that column.

Thanks Steven!
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Saturday 19 February 2011 16:28:44 Tom Eastep wrote:
>
> These issues are not restricted to the accounting file -- the same
> parser is used for the MARK column in all files containing that column.
>
> At any rate, the attached patch tightens the editing of that column.
>
> Thanks Steven!
> -Tom
Tom

Confirmed. The patches fixes the problem. Thanks,

Steven.


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/19/11 12:12 PM, Steven Jan Springl wrote:
> 
> Confirmed. The patches fixes the problem. Thanks,
> 
Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Saturday 19 February 2011 15:56:12 Tom Eastep wrote:
> On 2/19/11 5:37 AM, Steven Jan Springl wrote:
> > The patch fixes the MAC address issue.
> >
> > The patch fixes the above ''owner'' issue. However, if
the SECTION INPUT
> > line is removed the error still occurs.
>
> Interesting -- Netfilter must be enforcing the restriction on -m owner
> more tightly since I have several test cases from you in the regression
> library that use owner match in the accounting file.
>
> This patch prevents it from being used anywhere except in the OUTPUT
> section.
>
> -Tom
Tom

I can confirm the patch fixes the issue. Thanks.

I am using kernel 2.6.36 and iptables 1.4.10.

Steven.

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/19/11 12:19 PM, Steven Jan Springl wrote:
> 
> I can confirm the patch fixes the issue. Thanks.
> 
> I am using kernel 2.6.36 and iptables 1.4.10.
> 
Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

In the attached config. action.Drop contains:

REJECT:nflog(1,2,3)

This results in the following error message:

ERROR: Internal error in Shorewall::Chains::new_chain 
at /usr/share/shorewall/Shorewall/Chains.pm line 1144

If the :nflog(1,2,3) is removed or REJECT is changed to DROP then the error 
does not occur.

The error also occurs if action.Drop is renamed to action.Reject.
 
Steven.


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

Tom

In the attached config. action.Drop calls action.two
action.two contains;

REJECT

This results in the following error messages:

Use of uninitialized value in numeric gt (>) 
at /usr/share/shorewall/Shorewall/Chains.pm line 785.

ERROR: Internal error in Shorewall::Chains::decrement_reference_count 
at /usr/share/shorewall/Shorewall/Chains.pm line 785

If REJECT is changed to DROP the error does not occur.

Steven.


------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/19/11 2:51 PM, Steven Jan Springl wrote:
> Tom
> 
> In the attached config. action.Drop contains:
> 
> REJECT:nflog(1,2,3)
> 
> This results in the following error message:
> 
> ERROR: Internal error in Shorewall::Chains::new_chain 
> at /usr/share/shorewall/Shorewall/Chains.pm line 1144
> 
> If the :nflog(1,2,3) is removed or REJECT is changed to DROP then the error
> does not occur.
> 
> The error also occurs if action.Drop is renamed to action.Reject.
Seems to be corrected by the attached patch.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/19/11 3:29 PM, Steven Jan Springl wrote:
> In the attached config. action.Drop calls action.two
> action.two contains;
> 
> REJECT
> 
> This results in the following error messages:
> 
> Use of uninitialized value in numeric gt (>) 
> at /usr/share/shorewall/Shorewall/Chains.pm line 785.
> 
> ERROR: Internal error in Shorewall::Chains::decrement_reference_count 
> at /usr/share/shorewall/Shorewall/Chains.pm line 785
> 
> If REJECT is changed to DROP the error does not occur.
Seems as if the last patch also fixed this problem.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On Saturday 19 February 2011 23:36:16 Tom Eastep wrote:
>
> Seems to be corrected by the attached patch.
>
> -Tom
Tom

Confirmed. Both issues are fixed by this patch. Thanks.

Steven.



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

On 2/19/11 3:53 PM, Steven Jan Springl wrote:
> Confirmed. Both issues are fixed by this patch. Thanks.
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb