Shorewall devel - Apr 2011 - Shorewall 4.4.19 RC 1

RC 1 is now available for testing.

Problems corrected in this release:

1)  Corrected a problem in optimize level 4 that resulted in the
    following compile-time failure.

        Can''t use an undefined value as an ARRAY reference at
        /usr/share/shorewall/Shorewall/Chains.pm line 862.

2)  If a DNAT or REDIRECT rule applied to a source zone with an
    interface defined with ''physical=+'', then the nat table
''dnat''
    chain might have been created but not referenced. This prevented
    the DNAT or REDIRECT rule from working correctly.

3)  Previously, if a variable set in /etc/shorewall/params was given a
    value containing shell metacharacters, then the compiled script
    would contain syntax errors.

New Features:

1)  The contents of the Netfilter mangle table are now included in the
    output from ''shorewall show tc''.

2)  Simple traffic shaping can now have a common configuration between
    IPv4 and IPv6. To do that:

    - Set TC_ENABLED=Simple in both /etc/shorewall/shorewall.conf and
      /etc/shorewall6/shorewall6.conf
    - Configure /etc/shorewall/tcinterfaces.
    - Leave /etc/shorewall6/tcinterfaces empty.
    - Configure /etc/shorewall/tcpri (if desired)
    - Configure /etc/shorewall6/tcpri (if desired)

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

Tom

Rule:

DROP  $FW  net  !0

Produces the following iptables rule:

-A fw2net ! -p 0 -j DROP

Which produces the following iptabes-restore error:

iptables-restore v1.4.2: rule would never match protocol

------------------------------------------------------------------------------------------

Shorewall allows a ''-''  to be specified within a protcol list:

DROP  $FW  net  1,-,2

Is this intended?

Steven.

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

On Apr 11, 2011, at 2:38 PM, Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> DROP  $FW  net  !0
> 
> Produces the following iptables rule:
> 
> -A fw2net ! -p 0 -j DROP
> 
> Which produces the following iptabes-restore error:
> 
> iptables-restore v1.4.2: rule would never match protocol
The attached patch seems to catch this.



> 
>
------------------------------------------------------------------------------------------
> 
> Shorewall allows a ''-''  to be specified within a protcol
list:
> 
> DROP  $FW  net  1,-,2
> 
> Is this intended?
While including ''-'' in a list is silly, it doesn''t
make a lot of sense to reject it since ''-'' by itself is valid
in that column.

I think I''ll leave it.

-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

On Monday 11 April 2011 23:58:23 Tom Eastep wrote:
> On Apr 11, 2011, at 2:38 PM, Steven Jan Springl wrote:
> > Tom
> >
> > Rule:
> >
> > DROP  $FW  net  !0
> >
> > Produces the following iptables rule:
> >
> > -A fw2net ! -p 0 -j DROP
> >
> > Which produces the following iptabes-restore error:
> >
> > iptables-restore v1.4.2: rule would never match protocol
>
> The attached patch seems to catch this.
Tom

Confirmed. The patch fixes the problem.

Steven.

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

Tom

Rule:

DROP  $FW  net  256

Produces the following error message:

iptables-restore v1.4.2: unknown protocol `256'' specified

Note, the following iana web page states that protocol can be from 0 to 255  
(a one byte field).

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

Steven.

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

On Apr 11, 2011, at 4:35 PM, Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> DROP  $FW  net  256
> 
> Produces the following error message:
> 
> iptables-restore v1.4.2: unknown protocol `256'' specified
This should fix it.

-Tom



Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

On Apr 11, 2011, at 5:05 PM, Tom Eastep wrote:
> 
> This should fix it.
> 
And thank you, Steven

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

On Tuesday 12 April 2011 01:05:44 Tom Eastep wrote:
> On Apr 11, 2011, at 4:35 PM, Steven Jan Springl wrote:
> > Tom
> >
> > Rule:
> >
> > DROP  $FW  net  256
> >
> > Produces the following error message:
> >
> > iptables-restore v1.4.2: unknown protocol `256'' specified
>
> This should fix it.
>
> -Tom
Tom

Confirmed, the patch fixes the problem. Thanks.

Steven.

------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo

On Apr 12, 2011, at 3:12 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the problem. Thanks.
> 
Thank you, Steven

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now!  http://p.sf.net/sfu/ibm-webcastpromo