Shorewall devel - May 2011 - Shorewall 4.4.20 Beta 5

Beta 5 is now available for testing.

Problems Corrected:

1)  Previously, when a device number was explicitly specified in
    /etc/shorewall/tcdevices, all unused numbers less than the one
    specified were unavailable for allocation to following entries that
    did not specify a number. Now, the compiler selects the lowest
    unallocated number when no device number is explicitly allocated.

2)  Network developers have discovered an exploit that allows hosts to
    poke holes in a firewall under some circumstances. The known ways
    to protect against the exploit are:

    a)  rt_filter (Shorewall''s routefilter). Only applicable to IPv4
    	and can''t be used with some multi-ISP configurations.

    b)  Insert a DROP rule that prevents hairpinning (routeback). The
        rule must be inserted before any ESTABLISHED,RELATED firewall
        rules. This approach is not appropriate for bridges and other
        cases where the ''routeback'' option is specified or
implied.

    For non-routeback interfaces, Shorewall and Shorewall6 will insert
    a hairpin rule, provided that the routefilter option is not
    specified. The rule will dispose of hairpins according to the
    setting of two new options in shorewall.conf and shorewall6.conf:

    FILTER_LOG_LEVEL
	Specifies the logging level; default is ''info''. To omit
	logging, specify FILTER_LOG_LEVEL=none.


    FILTER_DISPOSITION
	Specifies the disposition. Default is DROP and the possible
	values are DROP, A_DROP, REJECT and A_REJECT.

    To deal with bridges and other routeback interfaces , there is now
    a ''filter'' option in /shorewall/interfaces and
    /etc/shorewall6/interfaces.

    The value of the ''filter'' option is a list of network
addresses
    enclosed in in parentheses. Where only a single address is listed,
    the parentheses may be omitted. When a packet from a filtered
    address is received on the interface, it is disposed of based on
    the new FILTER_ options described above.

    For a bridge or other routeback interface, you should list all of
    your other local networks (those networks not attached to the
    bridge) in the bridge''s filter list.

    Example:

	My DMZ is 2001:470:b:227::40/124

	My local interface (br1) is a bridge.

	In /etc/shorewall6/interfaces, I have:

	#ZONE INTERFACE BROADCAST OPTIONS
	loc   br1       -         filter=2001:470:b:227::40/124

3)  A defect introduced in Beta 3 that resulted in Internal Errors in
    the compiler has been corrected.

New Features:

1)  The new auditing actions and macros introduced in Beta 4 have been
    renamed by adding an underscore (''_'') after the leading A.
For
    example, ADrop is now A_Drop.

2)  Shorewall and Shorewall6 no longer depend on ''make''.

3)  A ''-T'' (trace) option has been added to the
''check'' and ''compile''
    commands. When a warning or error message is generated, a Perl
    stack trace is included to aid in isolating the source of the
    message.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

> 1)  Previously, when a device number was explicitly specified in
>     /etc/shorewall/tcdevices, all unused numbers less than the one
>     specified were unavailable for allocation to following entries that
>     did not specify a number. Now, the compiler selects the lowest
>     unallocated number when no device number is explicitly allocated.
>   
That works.
> 2)  Network developers have discovered an exploit that allows hosts to
>     poke holes in a firewall under some circumstances. The known ways
>     to protect against the exploit are:
>   
How do I know if I am "affected" by this? I have various
"routefilter"
options in my interfaces file (ranging from routefilter to 
routefilter=2). Regardless of whether I have "routefilter" or 
"routefilter=2" shorewall creates a "filter" chain with 0
references in
it. Don''t know why that is or if it is supposed to be this way?
>     FILTER_LOG_LEVEL
> 	Specifies the logging level; default is ''info''. To omit
> 	logging, specify FILTER_LOG_LEVEL=none.
>   
Have this set as the default (=info)
>     FILTER_DISPOSITION
> 	Specifies the disposition. Default is DROP and the possible
> 	values are DROP, A_DROP, REJECT and A_REJECT.
>   
Have this set as A_DROP.
> 1)  The new auditing actions and macros introduced in Beta 4 have been
>     renamed by adding an underscore (''_'') after the
leading A. For
>     example, ADrop is now A_Drop.
>   
That works with the new names.

I also found the following:

1. USE_ACTIONS is not present in the "default" shorewall.conf (the one
supplied with either the source or the rpm file) - it needs to be added.
2. There is a syntax error in man shorewall.conf (LEGACY_FASTSTART 
section) - "/etc/shorewall are compare with " should be
"/etc/shorewall
are compared with "
3. The following problem which I reported in Beta4 is still there - 
A_ACCEPT, A_DROP and/or A_REJECT assume comments from the first action 
(normally in Drop and Reject) which calls them, which is wrong. Example:

If I have A_AllowICMPs, Auth(A_REJECT) and A_DropUPnP in my Drop action 
the following chains are produced by shorewall:

Chain A_ACCEPT (4 references)
 pkts bytes target prot opt in out source destination         
 0 0 AUDIT all -- * * 0.0.0.0/0 0.0.0.0/0 /* Needed ICMP types */  AUDIT 
accept
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* Needed ICMP types */

Chain A_DROP (9 references)
 pkts bytes target prot opt in out source destination         
 0 0 AUDIT all -- * * 0.0.0.0/0 0.0.0.0/0 /* UPnP */  AUDIT drop
  0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* UPnP */

Chain A_REJECT (2 references)
 pkts bytes target prot opt in out source destination         
 0 0 AUDIT all -- * * 0.0.0.0/0 0.0.0.0/0 /* Auth */  AUDIT reject
 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* Auth */

The comments of which are, of course, utter nonsense! These should not 
be there at all!

4. Not a bug, but a suggestion.

Every time I upgrade shorewall I am spending time executing diff and 
peeling my eyes out to see what new options have been introduced and 
what options, if any, have been deprecated. This exercise is very much 
prone to errors and I believe there is a simpler and better solution to 
this, which could be done "automagically" without much fuss.

- Create (and distribute) shorewall.conf.default, which contains all 
shorewall.conf options with their default values for the current 
shorewall version being distributed;

- Create (and distribute) shorewall.conf.template which also contains 
all available options for the shorewall version being distributed, but 
lists their "values" in the following manner:
USE_ACTIONS=$USE_ACTIONS
LEGACY_FASTSTART=$LEGACY_FASTSTART
...

- Create a shell script which:
1). simply reads shorewall.conf.default as a shell source, so that all 
"variables" listed there are "defined" and have their values
loaded up.
2). check to see if shorewall.conf exists (from a previous shorewall 
version perhaps) and if that is the case read this file also as a shell 
source, so that the variables previously "defined" in 
shorewall.conf.default get overwritten from the existing shorewall.conf
3). use shorewall.conf.template to output all shorewall.conf variables 
with their values and redirect this output to shorewall.conf

- Job done and I don''t have to spend any more time diff-ing old and new
shorewall configs ever!


------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/27/11 7:51 PM, Tom Eastep wrote:
> On 5/27/11 6:11 PM, Mr Dash Four wrote:
> 
>> That works.
>>
>>> 2)  Network developers have discovered an exploit that allows hosts
to
>>>     poke holes in a firewall under some circumstances. The known
ways
>>>     to protect against the exploit are:
>>>   
>> How do I know if I am "affected" by this? I have various
"routefilter"
>> options in my interfaces file (ranging from routefilter to 
>> routefilter=2).
If you have neither IPv6 nor routeback interfaces, then you are not
affected.
>> Regardless of whether I have "routefilter" or 
>> "routefilter=2" shorewall creates a "filter" chain
with 0 references in
>> it. Don''t know why that is or if it is supposed to be this
way?
It would be deleted if you had specified a sufficient value for OPTIMIZE
in shorewall.conf. But in RC1, I will add code to delete it if it isn''t
referenced, regardless of optimization level.
>> I also found the following:
>>
>> 1. USE_ACTIONS is not present in the "default" shorewall.conf
(the one
>> supplied with either the source or the rpm file) - it needs to be
added.
 That''s good since the option was obsoleted with the release of
 Shorewall-perl
> 
>> 2. There is a syntax error in man shorewall.conf (LEGACY_FASTSTART 
>> section) - "/etc/shorewall are compare with " should be
"/etc/shorewall
>> are compared with "
Your two quoted strings are identical, AFAICS. But if you are
complaining about the use of the plural ''are'', there are
multiple
modification times associated with a directory (the directory and each
of its subordinate directories and files).
>> 3. The following problem which I reported in Beta4 is still there - 
>> A_ACCEPT, A_DROP and/or A_REJECT assume comments from the first action 
>> (normally in Drop and Reject) which calls them, which is wrong.
Example:
>>
>> If I have A_AllowICMPs, Auth(A_REJECT) and A_DropUPnP in my Drop action
>> the following chains are produced by shorewall:
>>
>> Chain A_ACCEPT (4 references)
>>  pkts bytes target prot opt in out source destination         
>>  0 0 AUDIT all -- * * 0.0.0.0/0 0.0.0.0/0 /* Needed ICMP types */ 
AUDIT
>> accept
>>  0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* Needed ICMP types */
>>
>> Chain A_DROP (9 references)
>>  pkts bytes target prot opt in out source destination         
>>  0 0 AUDIT all -- * * 0.0.0.0/0 0.0.0.0/0 /* UPnP */  AUDIT drop
>>   0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* UPnP */
>>
>> Chain A_REJECT (2 references)
>>  pkts bytes target prot opt in out source destination         
>>  0 0 AUDIT all -- * * 0.0.0.0/0 0.0.0.0/0 /* Auth */  AUDIT reject
>>  0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] /* Auth */
>>
>> The comments of which are, of course, utter nonsense! These should not 
>> be there at all!
> 
Give that you were eager to test and I have a full-time job unrelated to
networking, I released the beta without the attached patch.
> 
>>
>> 4. Not a bug, but a suggestion.
>>
>> Every time I upgrade shorewall I am spending time executing diff and 
>> peeling my eyes out to see what new options have been introduced and 
>> what options, if any, have been deprecated. This exercise is very much 
>> prone to errors and I believe there is a simpler and better solution to
>> this, which could be done "automagically" without much fuss.
>>
>> - Create (and distribute) shorewall.conf.default, which contains all 
>> shorewall.conf options with their default values for the current 
>> shorewall version being distributed;
>>
>> - Create (and distribute) shorewall.conf.template which also contains 
>> all available options for the shorewall version being distributed, but 
>> lists their "values" in the following manner:
>> USE_ACTIONS=$USE_ACTIONS
>> LEGACY_FASTSTART=$LEGACY_FASTSTART
>> ...
>>
>> - Create a shell script which:
>> 1). simply reads shorewall.conf.default as a shell source, so that all 
>> "variables" listed there are "defined" and have
their values loaded up.
>> 2). check to see if shorewall.conf exists (from a previous shorewall 
>> version perhaps) and if that is the case read this file also as a shell
>> source, so that the variables previously "defined" in 
>> shorewall.conf.default get overwritten from the existing shorewall.conf
>> 3). use shorewall.conf.template to output all shorewall.conf variables 
>> with their values and redirect this output to shorewall.conf
>>
>> - Job done and I don''t have to spend any more time diff-ing
old and new
>> shorewall configs ever!
Contributions cheerfully accepted.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 05/27/2011 08:11 PM, Tom Eastep wrote:
> On 5/27/11 7:51 PM, Tom Eastep wrote:
>> On 5/27/11 6:11 PM, Mr Dash Four wrote:
>>> 4. Not a bug, but a suggestion.
>>>
>>> Every time I upgrade shorewall I am spending time executing diff
and
>>> peeling my eyes out to see what new options have been introduced
and
>>> what options, if any, have been deprecated. This exercise is very
much
>>> prone to errors and I believe there is a simpler and better
solution to
>>> this, which could be done "automagically" without much
fuss.
I think this topic warrents further discussion.

The philosophy of shorewall.conf has always been that if you don''t
change it during an upgrade, then the behavior of your firewall won''t
change (fully backward compatible). So the default (value assigned when
the option does not appear in the file or is supplied with an empty
value) is chosen to achieve backward compatibility.

I used to assign a different value in shorewall.conf when I wanted new
users to experience behavior different from the default. I gave that up,
however, because people seem bound and determined to do what you are
apparently doing and add every new option to your existing
shorewall.conf with the value defined in mine. This lead to many laments
of "I upgraded and you broke my firewall".

So now, new options in shorewall.conf always get their
compiler-defaulted values and I only assign a different value in the
sample configurations.
>>> - Create (and distribute) shorewall.conf.default, which contains
all
>>> shorewall.conf options with their default values for the current 
>>> shorewall version being distributed;
The shorewall.conf in the tarball is presumably this file.
>>>
>>> - Create (and distribute) shorewall.conf.template which also
contains
>>> all available options for the shorewall version being distributed,
but
>>> lists their "values" in the following manner:
>>> USE_ACTIONS=$USE_ACTIONS
>>> LEGACY_FASTSTART=$LEGACY_FASTSTART
>>> ...
>>>
>>> - Create a shell script which:
>>> 1). simply reads shorewall.conf.default as a shell source, so that
all
>>> "variables" listed there are "defined" and have
their values loaded up.
>>> 2). check to see if shorewall.conf exists (from a previous
shorewall
>>> version perhaps) and if that is the case read this file also as a
shell
>>> source, so that the variables previously "defined" in 
>>> shorewall.conf.default get overwritten from the existing
shorewall.conf
>>> 3). use shorewall.conf.template to output all shorewall.conf
variables
>>> with their values and redirect this output to shorewall.conf
>>>
>>> - Job done and I don''t have to spend any more time
diff-ing old and new
>>> shorewall configs ever!
Again, I question why this is necessary.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

> The philosophy of shorewall.conf has always been that if you don''t
> change it during an upgrade, then the behavior of your firewall
won''t
> change (fully backward compatible). So the default (value assigned when
> the option does not appear in the file or is supplied with an empty
> value) is chosen to achieve backward compatibility.
>   
I agree with that. There is a difference, however, between "default 
value assigned in shorewall.conf" and "using default value" and
that
difference is that unless I see it in shorewall.conf for me this option 
does not exist and if it does not exist I wouldn''t know about it (a bit
like your FAKE_AUDIT option really - unless I read that post from you on 
this list, I wouldn''t have known about this option, which I
don''t think
is right - that''s a bit Microsoft like!).
> So now, new options in shorewall.conf always get their
> compiler-defaulted values and I only assign a different value in the
> sample configurations.
>   
What do you mean - that the sample shorewall.conf provided with the 
shorewall package does not contain the "default" values?
>>>> - Create (and distribute) shorewall.conf.default, which
contains all
>>>> shorewall.conf options with their default values for the
current
>>>> shorewall version being distributed;
>>>>         
>
> The shorewall.conf in the tarball is presumably this file.
>   
Yep! I have, however, changed that as of today.
>>>> - Create (and distribute) shorewall.conf.template which also
contains
>>>> all available options for the shorewall version being
distributed, but
>>>> lists their "values" in the following manner:
>>>> USE_ACTIONS=$USE_ACTIONS
>>>> LEGACY_FASTSTART=$LEGACY_FASTSTART
>>>> ...
>>>>
>>>> - Create a shell script which:
>>>> 1). simply reads shorewall.conf.default as a shell source, so
that all
>>>> "variables" listed there are "defined" and
have their values loaded up.
>>>> 2). check to see if shorewall.conf exists (from a previous
shorewall
>>>> version perhaps) and if that is the case read this file also as
a shell
>>>> source, so that the variables previously "defined" in
>>>> shorewall.conf.default get overwritten from the existing
shorewall.conf
>>>> 3). use shorewall.conf.template to output all shorewall.conf
variables
>>>> with their values and redirect this output to shorewall.conf
>>>>
>>>> - Job done and I don''t have to spend any more time
diff-ing old and new
>>>> shorewall configs ever!
>>>>         
>
> Again, I question why this is necessary.
>   
My view is that all available options should be listed in shorewall.conf 
and visible to users, like myself, so that I know what I have - both in 
terms of capabilities, as well as functionality (old and new). The old 
settings should be respected, the new ones should also be present, so 
that when I go through the config file and see an option I don''t know 
about I look at its value, check the manual and alter it, if necessary.

If I can''t see that option I cannot do that and I am not that smart to 
remember *all* options listed in the shorewall.conf man page as well as 
those in my shorewall.conf file so that I could compare and see what is 
missing - that ain''t happening.

So, what I did a couple of hours ago is discarded the notion of 
"shorewall.conf" completely and replaced it with
"shorewall.default",
introduced "shorewall.template", devised a small %postun script, which
merges "shorewall.default" with my existing shorewall.conf (if it
exists
from the previous installation), thus honouring my old settings, while 
"piping" this through "shorewall.template" creating final
version of
shorewall.conf, while preserving the old as shorewall.conf.org - just in 
case.

I also devised a separate shell script, which is installed as part of 
that package and it serves a similar purpose to my %postun routine in 
that it provides additional functionality for those occasions where 
shorewall.conf is not in its "standard" location (i.e. /etc/shorewall)
so that it could be run separately by the user merging both old and new 
configs respecting the old values. It works a treat, so I am more than 
happy to continue using it.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/28/11 8:16 AM, Mr Dash Four wrote:
> 
>> The philosophy of shorewall.conf has always been that if you
don''t
>> change it during an upgrade, then the behavior of your firewall
won''t
>> change (fully backward compatible). So the default (value assigned when
>> the option does not appear in the file or is supplied with an empty
>> value) is chosen to achieve backward compatibility.
>>   
> I agree with that. There is a difference, however, between "default 
> value assigned in shorewall.conf" and "using default value"
and that
> difference is that unless I see it in shorewall.conf for me this option 
> does not exist and if it does not exist I wouldn''t know about it
(a bit
> like your FAKE_AUDIT option really - unless I read that post from you on 
> this list, I wouldn''t have known about this option, which I
don''t think
> is right - that''s a bit Microsoft like!).
> 
>> So now, new options in shorewall.conf always get their
>> compiler-defaulted values and I only assign a different value in the
>> sample configurations.
>>   
> What do you mean - that the sample shorewall.conf provided with the 
> shorewall package does not contain the "default" values?
Those in the Samples directory do not contain the "default" values.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

> Those in the Samples directory do not contain the "default"
values.
>   
Whatever.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/28/11 8:16 AM, Mr Dash Four wrote:
>>   
> My view is that all available options should be listed in shorewall.conf 
> and visible to users, like myself, so that I know what I have - both in 
> terms of capabilities, as well as functionality (old and new). The old 
> settings should be respected, the new ones should also be present, so 
> that when I go through the config file and see an option I don''t
know
> about I look at its value, check the manual and alter it, if necessary.
> 
> If I can''t see that option I cannot do that and I am not that
smart to
> remember *all* options listed in the shorewall.conf man page as well as 
> those in my shorewall.conf file so that I could compare and see what is 
> missing - that ain''t happening.
> 
> So, what I did a couple of hours ago is discarded the notion of 
> "shorewall.conf" completely and replaced it with
"shorewall.default",
> introduced "shorewall.template", devised a small %postun script,
which
> merges "shorewall.default" with my existing shorewall.conf (if it
exists
> from the previous installation), thus honouring my old settings, while 
> "piping" this through "shorewall.template" creating
final version of
> shorewall.conf, while preserving the old as shorewall.conf.org - just in 
> case.
> 
> I also devised a separate shell script, which is installed as part of 
> that package and it serves a similar purpose to my %postun routine in 
> that it provides additional functionality for those occasions where 
> shorewall.conf is not in its "standard" location (i.e.
/etc/shorewall)
> so that it could be run separately by the user merging both old and new 
> configs respecting the old values. It works a treat, so I am more than 
> happy to continue using it.
Okay -- I''ve been doing a little scripting today too. The result of
that
scripting is that:

a) shorewall.conf and shorewall6.conf must have the same options or my
   build fails.

b) shorewall.conf is annotated with the manpage text (see attached).
   There is also a shorewall.conf.default in the tarball for those who
   prefer to not have the manpage merged with the config file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/28/11 4:00 PM, Tom Eastep wrote:
> Okay -- I''ve been doing a little scripting today too. The result
of that
> scripting is that:
> 
> a) shorewall.conf and shorewall6.conf must have the same options or my
>    build fails.
	That should have been shorewall.conf and ''man
shorewall.conf''.
	I''ve completed the work now and the Samples are annotated in
	the same way as the main shorewall.conf file.

	All of the .conf files have exactly the same entries as their
	associated manpage and are annotated with the manpage in the
	style of the early preview that I posted earlier.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/28/11 9:51 PM, Tom Eastep wrote:
> On 5/28/11 4:00 PM, Tom Eastep wrote:
> 
>> Okay -- I''ve been doing a little scripting today too. The
result of that
>> scripting is that:
>>
>> a) shorewall.conf and shorewall6.conf must have the same options or my
>>    build fails.
> 
> 	That should have been shorewall.conf and ''man
shorewall.conf''.
> 	I''ve completed the work now and the Samples are annotated in
> 	the same way as the main shorewall.conf file.
> 
> 	All of the .conf files have exactly the same entries as their
> 	associated manpage and are annotated with the manpage in the
> 	style of the early preview that I posted earlier.
Here''s the final file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

Tom

Using kernel 2.6.39, iptables 1.4.10 and xtables-addons 1.35

The following rules file entry:

ACCEPT  $FW  lan  tcp  22  -  -  -  !root:root

produces the following iptables rule:

-A fw2lan -p 6 --dport 22 -m owner ! --uid-owner root ! --gid-owner root -j 
ACCEPT

Which works.
After upgrading iptables to 1.4.11 the following iptables-restore error is 
produced:

iptables-restore v1.4.11: owner: option "--uid-owner" cannot be
inverted.


The following tcrules file entry:

IPMARK(dst,-1,-64)  $FW  eth1  tcp  888

produces the following iptables rule:

-A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr 
dst --and-mask -1 --or-mask -64 --shift 0

Which works.
After upgrading to iptables 1.4.11 the following iptables-restore error is 
produced:

iptables-restore v1.4.11: IPMARK: Bad value for "and-mask" option:
"-1"

Steven.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

Tom

Using kernel 2.6.39, iptables 1.4.11 and xtables-addons 1.35

If the config. does not have a capabilities file, the following policy works:

all  all  DROP:audit  warn

If a capabilities file is created, the following error message is produced:

ERROR: :audit requires AUDIT Target in your kernel and 
iptables : /etc/shorewallBBB/policy (line 13)

A copy of the capabilities file is attached.

I have manually entered the following iptables rule to confirm that the audit 
feature is working:

iptables -A INPUT -j AUDIT --type drop

Steven.


------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 7:01 AM, Steven Jan Springl wrote:
> Using kernel 2.6.39, iptables 1.4.10 and xtables-addons 1.35
> 
> The following rules file entry:
> 
> ACCEPT  $FW  lan  tcp  22  -  -  -  !root:root
> 
> produces the following iptables rule:
> 
> -A fw2lan -p 6 --dport 22 -m owner ! --uid-owner root ! --gid-owner root -j
> ACCEPT
> 
> Which works.
> After upgrading iptables to 1.4.11 the following iptables-restore error is 
> produced:
> 
> iptables-restore v1.4.11: owner: option "--uid-owner" cannot be
inverted.
Jan Engelhardt (Netfilter developer) has confirmed that this is an
iptables 1.4.11 bug.
> 
> 
> The following tcrules file entry:
> 
> IPMARK(dst,-1,-64)  $FW  eth1  tcp  888
> 
> produces the following iptables rule:
> 
> -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr 
> dst --and-mask -1 --or-mask -64 --shift 0
> 
> Which works.
> After upgrading to iptables 1.4.11 the following iptables-restore error is 
> produced:
> 
> iptables-restore v1.4.11: IPMARK: Bad value for "and-mask"
option: "-1"
The attached patch should catch this one.

Thanks, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 7:54 AM, Tom Eastep wrote:
> On 5/29/11 7:01 AM, Steven Jan Springl wrote:
> 
>> Using kernel 2.6.39, iptables 1.4.10 and xtables-addons 1.35
>>
>> The following rules file entry:
>>
>> ACCEPT  $FW  lan  tcp  22  -  -  -  !root:root
>>
>> produces the following iptables rule:
>>
>> -A fw2lan -p 6 --dport 22 -m owner ! --uid-owner root ! --gid-owner
root -j
>> ACCEPT
>>
>> Which works.
>> After upgrading iptables to 1.4.11 the following iptables-restore error
is
>> produced:
>>
>> iptables-restore v1.4.11: owner: option "--uid-owner" cannot
be inverted.
> 
> Jan Engelhardt (Netfilter developer) has confirmed that this is an
> iptables 1.4.11 bug.
> 
>>
>>
>> The following tcrules file entry:
>>
>> IPMARK(dst,-1,-64)  $FW  eth1  tcp  888
>>
>> produces the following iptables rule:
>>
>> -A OUTPUT -p 6 --dport 888 -o eth1 -j IPMARK --addr 
>> dst --and-mask -1 --or-mask -64 --shift 0
>>
>> Which works.
>> After upgrading to iptables 1.4.11 the following iptables-restore error
is
>> produced:
>>
>> iptables-restore v1.4.11: IPMARK: Bad value for "and-mask"
option: "-1"
> 
> The attached patch should catch this one.
I actually prefer this patch. It allows you to specify negative numbers
for the masks (which may be helpful) and converts them into 32-bit hex
numbers.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 8:03 AM, Tom Eastep wrote:
> I actually prefer this patch. It allows you to specify negative numbers
> for the masks (which may be helpful) and converts them into 32-bit hex
> numbers.
Three''s the charm, I guess.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Sunday 29 May 2011 16:26:11 Tom Eastep wrote:
> On 5/29/11 8:03 AM, Tom Eastep wrote:
> > I actually prefer this patch. It allows you to specify negative
numbers
> > for the masks (which may be helpful) and converts them into 32-bit hex
> > numbers.
>
> Three''s the charm, I guess.
>
> -Tom
Tom

Sorry for the delay in getting back to you. It''s been a bit chaotic
here
today.

I can confirm the patch works. I can also confirm the UID patch works. Thanks.

Steven.



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Sunday 29 May 2011 21:46:09 Steven Jan Springl wrote:
> On Sunday 29 May 2011 16:26:11 Tom Eastep wrote:
> > On 5/29/11 8:03 AM, Tom Eastep wrote:
> > > I actually prefer this patch. It allows you to specify negative
numbers
> > > for the masks (which may be helpful) and converts them into
32-bit hex
> > > numbers.
> >
> > Three''s the charm, I guess.
> >
> > -Tom
>
> Tom
>
> Sorry for the delay in getting back to you. It''s been a bit
chaotic here
> today.
>
> I can confirm the patch works. I can also confirm the UID patch works.
> Thanks.
>
> Steven.
>
Tom

When tcrules file contains:

IPMARK(dst,0X880,0xcc00,124)  $FW  eth1

the following messages are produced:

Argument "0X880" isn''t numeric in bitwise and (&) 
at /usr/share/shorewall/Shorewall/Tc.pm line 334, <$currentfile> line 15.

Argument "0xcc00" isn''t numeric in bitwise and (&) 
at /usr/share/shorewall/Shorewall/Tc.pm line 340, <$currentfile> line 15.

Steven.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

> Here''s the final file.
>   
OK, I am attaching quite a few files to this post, so hopefully the 
mailing list daemon won''t moan too much. If it does, then I am going to
have to attach these again in a private email.

I have created the following files, which I have used to install and 
configure my shorewall yesterday:

1. shorewall.default - contains shorewall.conf''s "default"
options as
per the file you enclosed in your previous post. These are used to 
construct the final shorewall.conf (see below);
2. shorewall.template - template to be used to "transform" the values 
and produce the final shorewall.conf;
3. shorewall-terse.template - another template, which does not contain 
any comments at all (may be suitable to "experts" who think they know 
what they are doing);
4. update-shorewall-config - a shell script, which does the donkey work 
of transforming shorewall.conf options (whether from an old 
shorewall.conf, "shorewal.default", or both, giving preference to the 
values present in the old shorewall.conf - in other words, if option is 
specified in both the existing "shorewall.conf" and
"shorewall.default"
then the value of that option specified in the old "shorewall.conf" 
takes precedence) and produces a final "shorewall.conf", based on one
of
the two templates specified above ("shorewall.template" or 
"shorewall-terse.template").

 From the shell script''s heading:

PURPOSE:

Combines all values from /etc/shorewall/shorewall.default with 
<old_shorewall_conf> (if specified) and then uses 
/etc/shorewall/shorewall[-terse].template to dump the output to 
<old_shorewall_conf>, renaming <old_shorewall_conf> to 
<old_shorewall_conf>.org, if applicable.

Preference is given to the values specified in <old_shorewall_conf>. 
"Deprecated" options (i.e. options used in <old_shorewall_conf>,
but not
present in /etc/shorewall/shorewall.default) are ignored. If no 
<old_shorewall_conf> is specified /etc/shorewall/shorewall.conf is 
assumed. If /etc/shorewall/shorewall.conf does not exist, then a new 
/etc/shorewall/shorewall.conf is created based on values in 
/etc/shorewall/shorewall.default.

SYNTAX:

$0 [-teastep] [<old_shorewall_conf>]

REQUIRES:

/etc/shorewall/shorewall.default - containing all "default" values 
applicable to the distributed version of Shorewall;
/etc/shorewall/shorewall[-terse].template - containing the template to 
be used during transformation;

IN:

"-teastep" - use the "terse" shorewall template 
(/etc/shorewall/shorewall-terse.template). Optional, defaults to using 
/etc/shorewall/shorewall.template

<old_shorewall_conf> - old shorewall.conf to use. If 
<old_shorewall_conf> is not specified: 1) /etc/shorewall/shorewall.conf 
is checked and if it exists, this is then used; 2) if 
/etc/shorewall/shorewall.conf does not exists, then it is created based 
on the values in /etc/shorewall/shorewall.default, using the preselected 
template - /etc/shorewall/shorewal[-terse].template

OUT:

One of:
- modified /etc/shorewall/shorewall.conf if 
"/etc/shorewall/shorewall.conf" exists or no
<old_shorewall_conf> was
specified
- modified <old_shorewall_conf>

For this to really work the following needs to be done:

1. The existing shorewall.conf from the distribution 
(configfiles/shorewall.conf) needs to be wiped out and the attached 
shorewall.default needs to be used instead. All references of 
"shorewall.conf" in install.sh need to be replaced with  
"shorewall.default": sed -i
"s/shorewall\.conf/shorewall\.default/"
install.sh

2. The two templates need to be copied where they belong - in the 
configfiles/ directory so that they could be used. These need to be 
installed in /etc/shorewall at least so that they could be used by the 
update-shorewall-config script.

3. The update shorewall.conf script needs to be copied to a path where 
it can be executed (preferably /usr/sbin - this is what I''ve done 
anyway) and its attributes properly set (0755 and owner as root:root for 
example).

All of the above is done in my shorewall.spec file "automagically"
when
I use it to build my shorewall rpm. There is a little script in the 
%post section:

%post
if [ $1 = 1 ]; then
  /sbin/chkconfig --add shorewall
  if [ -f /etc/shorewall/shorewall.conf ]; then
    /usr/sbin/update-shorewall-config /etc/shorewall/shorewall.conf &> 
/dev/null
  else
    /usr/sbin/update-shorewall-config &> /dev/null
  fi
fi

What that does, among other things, is, it checks if there is old 
shorewall.conf present and if that is so, it runs the 
update-shorewall-config script to convert the options based on the 
"normal" template ("shorewall.template").

If "shorewall.conf" does *not* exists (new installation perhaps) it 
creates one based on "shorewall.default" and
"shorewall.template". In
that way there won''t be any more daft messages like
"shorewall.conf has
been saved as shorewall.conf.rpmnew" from the RPM engine as the file is 
created/modified (the old file, if exists, is still saved as 
shorewall.conf.org!).

By adopting this, there isn''t any danger of carrying
"deprecated"
options (I had about 9 when I first used this) or missing on new ones 
released with each shorewall version.





------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 2:37 PM, Steven Jan Springl wrote:
>> I can confirm the patch works. I can also confirm the UID patch works.
>> Thanks.
>
Thanks.
> 
> When tcrules file contains:
> 
> IPMARK(dst,0X880,0xcc00,124)  $FW  eth1
> 
> the following messages are produced:
> 
> Argument "0X880" isn''t numeric in bitwise and (&) 
> at /usr/share/shorewall/Shorewall/Tc.pm line 334, <$currentfile> line
15.
> 
> Argument "0xcc00" isn''t numeric in bitwise and (&) 
> at /usr/share/shorewall/Shorewall/Tc.pm line 340, <$currentfile> line
15.
For such a simple fix, I seem to be having an unusually hard time with
it :-(

This should eliminate the problem you''re seeing

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Sunday 29 May 2011 22:51:47 Tom Eastep wrote:
> On 5/29/11 2:37 PM, Steven Jan Springl wrote:
> >> I can confirm the patch works. I can also confirm the UID patch
works.
> >> Thanks.
>
> Thanks.
>
> > When tcrules file contains:
> >
> > IPMARK(dst,0X880,0xcc00,124)  $FW  eth1
> >
> > the following messages are produced:
> >
> > Argument "0X880" isn''t numeric in bitwise and
(&)
> > at /usr/share/shorewall/Shorewall/Tc.pm line 334, <$currentfile>
line 15.
> >
> > Argument "0xcc00" isn''t numeric in bitwise and
(&)
> > at /usr/share/shorewall/Shorewall/Tc.pm line 340, <$currentfile>
line 15.
>
> For such a simple fix, I seem to be having an unusually hard time with
> it :-(
>
> This should eliminate the problem you''re seeing
>
> -Tom
Tom

Confirmed, that has fixed the problem. Thanks.

Steven.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

> 
> Confirmed, that has fixed the problem. Thanks.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 2:42 PM, Mr Dash Four wrote:
> 
>> Here''s the final file.
>>   
> OK, I am attaching quite a few files to this post, so hopefully the
> mailing list daemon won''t moan too much. If it does, then I am
going to
> have to attach these again in a private email.
> 
> I have created the following files, which I have used to install and
> configure my shorewall yesterday:
Thanks!

I think that it is a little late in the 4.4.20 cycle to try to integrate
this into that release. So I''ll hold it until I release 4.4.20 and make
it the first thing that I add for 4.4.21 Beta 1.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

> I think that it is a little late in the 4.4.20 cycle to try to integrate
> this into that release. So I''ll hold it until I release 4.4.20 and
make
> it the first thing that I add for 4.4.21 Beta 1.
>   
That makes no difference to me as I already use these and "reap the 
benefits", so to speak (I had quite a few "deprecated" options, 
apparently left from when I first started using shorewall and I have 
been carrying them since!).

If/when you decide to use any of this new functionality you have to 
remember to change shorewall.default and the two templates if you are 
going to deprecate options or introduce new ones.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

Tom

I have an action extension script that tests the variable $family to determine 
if IPv4 or IPv6 is being used. 

The script worked with shorewall(6) 4.4.19. I believe it stopped working 
shorewall(6) 4.4.20 Beta4.

I now get the following messages:

Compiling /etc/shorewall1/action.Extns for chain %Extns...

Use of uninitialized value $Shorewall::Rules::family in numeric eq (==) at 
(eval 9) line 28, <$currentfile> line 18.

Is there anything I need to do to be able reference $family within the script.

I have attached a copy of the script.

Thanks.

Steven.


------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 4:16 PM, Steven Jan Springl wrote:
> Tom
> 
> I have an action extension script that tests the variable $family to
determine
> if IPv4 or IPv6 is being used. 
> 
> The script worked with shorewall(6) 4.4.19. I believe it stopped working 
> shorewall(6) 4.4.20 Beta4.
> 
> I now get the following messages:
> 
> Compiling /etc/shorewall1/action.Extns for chain %Extns...
> 
> Use of uninitialized value $Shorewall::Rules::family in numeric eq (==) at 
> (eval 9) line 28, <$currentfile> line 18.
> 
> Is there anything I need to do to be able reference $family within the
script.
Rather than
	''our $family;''
	...
	if ( $family == ...)

Try

	my $family = $Shorewall::Chains::$family;
	...
	if ( $family == ...)

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 4:13 PM, Mr Dash Four wrote:
> 
>> I think that it is a little late in the 4.4.20 cycle to try to
integrate
>> this into that release. So I''ll hold it until I release 4.4.20
and make
>> it the first thing that I add for 4.4.21 Beta 1.
>>   
> That makes no difference to me as I already use these and "reap the 
> benefits", so to speak (I had quite a few "deprecated"
options,
> apparently left from when I first started using shorewall and I have 
> been carrying them since!).
> 
> If/when you decide to use any of this new functionality you have to 
> remember to change shorewall.default and the two templates if you are 
> going to deprecate options or introduce new ones.
The annotated template will be machine-generated from the
''terse'' one
and the related manpage (the .conf file is currently generated that
way). So I only have to keep the plain one updated.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 4:16 PM, Steven Jan Springl wrote:
> Tom
> 
> I have an action extension script that tests the variable $family to
determine
> if IPv4 or IPv6 is being used. 
> 
> The script worked with shorewall(6) 4.4.19. I believe it stopped working 
> shorewall(6) 4.4.20 Beta4.
> 
> I now get the following messages:
> 
> Compiling /etc/shorewall1/action.Extns for chain %Extns...
> 
> Use of uninitialized value $Shorewall::Rules::family in numeric eq (==) at 
> (eval 9) line 28, <$currentfile> line 18.
> 
> Is there anything I need to do to be able reference $family within the
script.
> 
> I have attached a copy of the script.
And here is a patch that will restore your ability to simple declare
''our $family''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Monday 30 May 2011 01:14:38 Tom Eastep wrote:
> On 5/29/11 4:16 PM, Steven Jan Springl wrote:
> > Tom
> >
> > I have an action extension script that tests the variable $family to
> > determine if IPv4 or IPv6 is being used.
> >
> > The script worked with shorewall(6) 4.4.19. I believe it stopped
working
> > shorewall(6) 4.4.20 Beta4.
> >
> > I now get the following messages:
> >
> > Compiling /etc/shorewall1/action.Extns for chain %Extns...
> >
> > Use of uninitialized value $Shorewall::Rules::family in numeric eq
(==)
> > at (eval 9) line 28, <$currentfile> line 18.
> >
> > Is there anything I need to do to be able reference $family within the
> > script.
> >
> > I have attached a copy of the script.
>
> And here is a patch that will restore your ability to simple declare
> ''our $family''.
>
> -Tom
Tom

Using your original suggestion with a minor change works:

my $family = $Shorewall::Chains::family;

Your patch also works.

I don''t mind which I use. So if you prefer to leave the patch off,
thats okay
with me.

Thanks.

Steven.




------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

Tom

In Shorewall6 if maclist is specified on an interface, the following messages 
are produced:

Use of uninitialized value $to in hash element 
at /usr/share/shorewall/Shorewall/Chains.pm line 1310.

Use of uninitialized value $to in pattern match (m//) 
at /usr/share/shorewall/Shorewall/Chains.pm line 1310.

ERROR: Internal error in Shorewall::Chains::find_chain 
at /usr/share/shorewall/Shorewall/Chains.pm line 1273

I have attached a minimal config. with an example.

Steven.


------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 5:46 PM, Steven Jan Springl wrote:
> In Shorewall6 if maclist is specified on an interface, the following
messages
> are produced:
> 
> Use of uninitialized value $to in hash element 
> at /usr/share/shorewall/Shorewall/Chains.pm line 1310.
> 
> Use of uninitialized value $to in pattern match (m//) 
> at /usr/share/shorewall/Shorewall/Chains.pm line 1310.
> 
> ERROR: Internal error in Shorewall::Chains::find_chain 
> at /usr/share/shorewall/Shorewall/Chains.pm line 1273
> 
> I have attached a minimal config. with an example.
Steven,

This is a defect introduced since 4.4.19 and is not limited to IPv6. It
occurs when MACLIST_DISPOSITION is not specified.

Patch attached.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Monday 30 May 2011 15:49:49 Tom Eastep wrote:
> On 5/29/11 5:46 PM, Steven Jan Springl wrote:
> > In Shorewall6 if maclist is specified on an interface, the following
> > messages are produced:
> >
> > Use of uninitialized value $to in hash element
> > at /usr/share/shorewall/Shorewall/Chains.pm line 1310.
> >
> > Use of uninitialized value $to in pattern match (m//)
> > at /usr/share/shorewall/Shorewall/Chains.pm line 1310.
> >
> > ERROR: Internal error in Shorewall::Chains::find_chain
> > at /usr/share/shorewall/Shorewall/Chains.pm line 1273
> >
> > I have attached a minimal config. with an example.
>
> Steven,
>
> This is a defect introduced since 4.4.19 and is not limited to IPv6. It
> occurs when MACLIST_DISPOSITION is not specified.
>
> Patch attached.
>
> Thanks,
> -Tom
Tom

I confirm the patch has fixed the issue.

The following message is now being produced from the config.:

Use of uninitialized value $disposition in pattern match (m//) 
at /usr/share/shorewall/Shorewall/Misc.pm line 802.

Steven.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/30/11 8:17 AM, Steven Jan Springl wrote:
> 
> I confirm the patch has fixed the issue.
> 
> The following message is now being produced from the config.:
> 
> Use of uninitialized value $disposition in pattern match (m//) 
> at /usr/share/shorewall/Shorewall/Misc.pm line 802.
I managed to overlook that in the output when I tested. The attached
removes this second defect.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Monday 30 May 2011 16:49:05 Tom Eastep wrote:
> On 5/30/11 8:17 AM, Steven Jan Springl wrote:
> > I confirm the patch has fixed the issue.
> >
> > The following message is now being produced from the config.:
> >
> > Use of uninitialized value $disposition in pattern match (m//)
> > at /usr/share/shorewall/Shorewall/Misc.pm line 802.
>
> I managed to overlook that in the output when I tested. The attached
> removes this second defect.
>
> -Tom
Tom

Confirmed, that''s fixed it. Thanks.

Steven.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/30/11 8:55 AM, Steven Jan Springl wrote:
>
> Confirmed, that''s fixed it. Thanks.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Sunday 29 May 2011 15:32:53 Steven Jan Springl wrote:
> Tom
>
> Using kernel 2.6.39, iptables 1.4.11 and xtables-addons 1.35
>
> If the config. does not have a capabilities file, the following policy
> works:
>
> all  all  DROP:audit  warn
>
> If a capabilities file is created, the following error message is produced:
>
> ERROR: :audit requires AUDIT Target in your kernel and
> iptables : /etc/shorewallBBB/policy (line 13)
>
> A copy of the capabilities file is attached.
>
> I have manually entered the following iptables rule to confirm that the
> audit feature is working:
>
> iptables -A INPUT -j AUDIT --type drop
>
> Steven.
Tom

Have you had an opportunity to look at the above problem yet?

Steven 

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

I''ll look at it after breakfast.

Tom

Sent from my iPad

On May 30, 2011, at 9:08 AM, Steven Jan Springl <steven@springl.ukfsn.org>
wrote:
> On Sunday 29 May 2011 15:32:53 Steven Jan Springl wrote:
>> Tom
>> 
>> Using kernel 2.6.39, iptables 1.4.11 and xtables-addons 1.35
>> 
>> If the config. does not have a capabilities file, the following policy
>> works:
>> 
>> all  all  DROP:audit  warn
>> 
>> If a capabilities file is created, the following error message is
produced:
>> 
>> ERROR: :audit requires AUDIT Target in your kernel and
>> iptables : /etc/shorewallBBB/policy (line 13)
>> 
>> A copy of the capabilities file is attached.
>> 
>> I have manually entered the following iptables rule to confirm that the
>> audit feature is working:
>> 
>> iptables -A INPUT -j AUDIT --type drop
>> 
>> Steven.
> 
> Tom
> 
> Have you had an opportunity to look at the above problem yet?
> 
> Steven 
> 
>
------------------------------------------------------------------------------
> vRanger cuts backup time in half-while increasing security.
> With the market-leading solution for virtual backup and recovery, 
> you get blazing-fast, flexible, and affordable data protection.
> Download your free trial now. 
> http://p.sf.net/sfu/quest-d2dcopy1
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/30/11 9:20 AM, Tom Eastep wrote:
> On May 30, 2011, at 9:08 AM, Steven Jan Springl
<steven@springl.ukfsn.org> wrote:
>> On Sunday 29 May 2011 15:32:53 Steven Jan Springl wrote:
>>> Using kernel 2.6.39, iptables 1.4.11 and xtables-addons 1.35
>>>
>>> If the config. does not have a capabilities file, the following
policy
>>> works:
>>>
>>> all  all  DROP:audit  warn
>>>
>>> If a capabilities file is created, the following error message is
produced:
>>>
>>> ERROR: :audit requires AUDIT Target in your kernel and
>>> iptables : /etc/shorewallBBB/policy (line 13)
>>>
>>> A copy of the capabilities file is attached.
>>>
>>> I have manually entered the following iptables rule to confirm that
the
>>> audit feature is working:
>>>
>>> iptables -A INPUT -j AUDIT --type drop
>
>> Have you had an opportunity to look at the above problem yet?
The attached patch corrects the problem. You will need to recreate the
capabilities file after applying the patch.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Monday 30 May 2011 17:47:34 Tom Eastep wrote:
> On 5/30/11 9:20 AM, Tom Eastep wrote:
> > On May 30, 2011, at 9:08 AM, Steven Jan Springl
<steven@springl.ukfsn.org>
wrote:
> >> On Sunday 29 May 2011 15:32:53 Steven Jan Springl wrote:
> >>> Using kernel 2.6.39, iptables 1.4.11 and xtables-addons 1.35
> >>>
> >>> If the config. does not have a capabilities file, the
following policy
> >>> works:
> >>>
> >>> all  all  DROP:audit  warn
> >>>
> >>> If a capabilities file is created, the following error message
is
> >>> produced:
> >>>
> >>> ERROR: :audit requires AUDIT Target in your kernel and
> >>> iptables : /etc/shorewallBBB/policy (line 13)
> >>>
> >>> A copy of the capabilities file is attached.
> >>>
> >>> I have manually entered the following iptables rule to confirm
that the
> >>> audit feature is working:
> >>>
> >>> iptables -A INPUT -j AUDIT --type drop
> >>
> >> Have you had an opportunity to look at the above problem yet?
>
> The attached patch corrects the problem. You will need to recreate the
> capabilities file after applying the patch.
>
> -Tom
Tom

Confirmed, the patch has fixed the problem. Thanks.

Steven.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

Tom

The attached minimal config. produces the following message:

Can''t use an undefined value as a HASH reference 
at /usr/share/shorewall/Shorewall/Zones.pm line 1736, <$currentfile> line
11.

Steven.


------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/30/11 11:20 AM, Steven Jan Springl wrote:
> The attached minimal config. produces the following message:
> 
> Can''t use an undefined value as a HASH reference 
> at /usr/share/shorewall/Shorewall/Zones.pm line 1736, <$currentfile>
line 11.
Steven,

This seems to correct that problem.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Monday 30 May 2011 19:37:32 Tom Eastep wrote:
> On 5/30/11 11:20 AM, Steven Jan Springl wrote:
> > The attached minimal config. produces the following message:
> >
> > Can''t use an undefined value as a HASH reference
> > at /usr/share/shorewall/Shorewall/Zones.pm line 1736,
<$currentfile> line
> > 11.
>
> Steven,
>
> This seems to correct that problem.
>
> Thanks,
> -Tom
Tom

I can confirm that it fixes the issue. Thanks.

Steven.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 05/30/2011 12:22 PM, Steven Jan Springl wrote:
> I can confirm that it fixes the issue. Thanks.
Thanks, Steven

Please let me know when you are finished testing Beta 5; once you do,
I''ll upload RC 1.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

Tom

The attached config: produces the following error messages:

Use of uninitialized value in numeric gt (>) 
at /usr/share/shorewall/Shorewall/Chains.pm line 815.

ERROR: Internal error in Shorewall::Chains::decrement_reference_count 
at /usr/share/shorewall/Shorewall/Chains.pm line 815

Steven.


------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/30/11 2:16 PM, Steven Jan Springl wrote:
> The attached config: produces the following error messages:
> 
> Use of uninitialized value in numeric gt (>) 
> at /usr/share/shorewall/Shorewall/Chains.pm line 815.
> 
> ERROR: Internal error in Shorewall::Chains::decrement_reference_count 
> at /usr/share/shorewall/Shorewall/Chains.pm line 815
Steven,

That one took a while; bugs that show up in the optimizer with a large
and complex configuration are harder to find.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/30/11 3:10 PM, Tom Eastep wrote:
> That one took a while; bugs that show up in the optimizer with a large
> and complex configuration are harder to find.
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Monday 30 May 2011 23:12:54 Tom Eastep wrote:
> On 5/30/11 3:10 PM, Tom Eastep wrote:
> > That one took a while; bugs that show up in the optimizer with a large
> > and complex configuration are harder to find.
>
> -Tom
Tom

Confirmed, that''s fixed it. I''m not surprised it took a while
to find. Every
time my "swiss army knife config." finds a bug like that I cringe. It
can
take a considerable amount of time removing bits from it until I''m left
with
something that I can send to you. On the other hand it finds a large number 
of the bugs I report to you. So I am reluctant to get rid of it. 

Using the same config. the following iptables-restore error is produced:

iptables-restore v1.4.11: Bad action type value "blacklog"
Error occurred at line: 3137

Line 3137 is:

-A ~excl0 -j AUDIT --type blacklog

Steven.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/30/11 3:54 PM, Steven Jan Springl wrote:
> Confirmed, that''s fixed it. I''m not surprised it took a
while to find. Every
> time my "swiss army knife config." finds a bug like that I
cringe. It can
> take a considerable amount of time removing bits from it until I''m
left with
> something that I can send to you. On the other hand it finds a large number
> of the bugs I report to you. So I am reluctant to get rid of it. 
I agree that is a valuable tool.
> 
> Using the same config. the following iptables-restore error is produced:
> 
> iptables-restore v1.4.11: Bad action type value "blacklog"
> Error occurred at line: 3137
> 
> Line 3137 is:
> 
> -A ~excl0 -j AUDIT --type blacklog
This seems to fix it.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On Tuesday 31 May 2011 00:20:05 Tom Eastep wrote:
> On 5/30/11 3:54 PM, Steven Jan Springl wrote:
> > Confirmed, that''s fixed it. I''m not surprised it
took a while to find.
> > Every time my "swiss army knife config." finds a bug like
that I cringe.
> > It can take a considerable amount of time removing bits from it until
I''m
> > left with something that I can send to you. On the other hand it finds
a
> > large number of the bugs I report to you. So I am reluctant to get rid
of
> > it.
>
> I agree that is a valuable tool.
>
> > Using the same config. the following iptables-restore error is
produced:
> >
> > iptables-restore v1.4.11: Bad action type value "blacklog"
> > Error occurred at line: 3137
> >
> > Line 3137 is:
> >
> > -A ~excl0 -j AUDIT --type blacklog
>
> This seems to fix it.
>
> Thanks,
> -Tom
Tom

Confirmed, that''s fixed it. Thanks.

I have now finished testing Beta 5.

Steven.

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/30/11 4:37 PM, Steven Jan Springl wrote:
> Confirmed, that''s fixed it. Thanks.
> 
> I have now finished testing Beta 5.
Thanks for all of your help, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

On 5/29/11 2:42 PM, Mr Dash Four wrote:
> 
>> Here''s the final file.
>>   
> OK, I am attaching quite a few files to this post, so hopefully the
> mailing list daemon won''t moan too much. If it does, then I am
going to
> have to attach these again in a private email.
> 
> I have created the following files, which I have used to install and
> configure my shorewall yesterday:
> 
> 1. shorewall.default - contains shorewall.conf''s
"default" options as
> per the file you enclosed in your previous post. These are used to
> construct the final shorewall.conf (see below);
> 2. shorewall.template - template to be used to "transform" the
values
> and produce the final shorewall.conf;
> 3. shorewall-terse.template - another template, which does not contain
> any comments at all (may be suitable to "experts" who think they
know
> what they are doing);
> 4. update-shorewall-config - a shell script, which does the donkey work
> of transforming shorewall.conf options (whether from an old
> shorewall.conf, "shorewal.default", or both, giving preference to
the
> values present in the old shorewall.conf - in other words, if option is
> specified in both the existing "shorewall.conf" and
"shorewall.default"
> then the value of that option specified in the old
"shorewall.conf"
> takes precedence) and produces a final "shorewall.conf", based on
one of
> the two templates specified above ("shorewall.template" or
> "shorewall-terse.template").

Unfortunately, life isn''t quite this simple.

- As I have already mentioned on the user''s list, the
  ''update-shorewall-config'' script doesn''t take the
params file into
  account. In my own configuration, I have this in
  /etc/shorewall/params:

	LOG=ULOG

  Then, in /etc/shorewall/shorewall.conf, I have:

	MACLIST_LOG_LEVEL="$LOG"
	TCP_FLAGS_LOG_LEVEL="$LOG"
	SMURF_LOG_LEVEL="$LOG"

  This is fairly simple to correct: load the relevant libraries
  (remember, /etc/shorewall/params can use a number of
  shorewall-supplied functions) and source the params file before
  sourcing the .conf file.

- On a fresh installation, it is preferable to omit the deprecated
  options. During an upgrade, however, we want to keep those options -
  especially if they have a non-default value.

  Today, I modified both the 4.4.20 and 4.4.21 branches to omit the
  deprecated options from the .conf files (Shorewall, Shorewall6 and
  their samples).

- I''m particularly uncomfortable with the idea of modifying
users''
  configurations during an upgrade. I prefer to make it an optional
  post-installation step initiated by the user.

- Doesn''t handle Shorewall6 (although it would be easy to adapt).

- The sarcastic name of the option (-teastep) won''t do.

So, I''m thinking that:

- The ''upgrade-shorewall-config'' script will not be invoked
  automatically during install/upgrade. It may or may not be invoked in
  my product build (I will have to think some more about that).

- It will be documented as an optional post-installation step.
  Adventurous package maintainers may choose to use it. I will
  maintain and include the necessary support files.

- It will also be included in Shorewall6.

- Deprecated options with non-default values will be retained with a
  warning message. These options will be tacked onto the end of the
  file with a suitable comment.

- The -teastep option will become -a (annotated). The default will be
  non-annotated .conf files (which is consistent with the install.sh
  scripts). The template files will be renamed accordingly.

- It is likely that none of this will be in 4.4.21 Beta 1

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On Sun, Jun 12, 2011 at 06:02:19PM -0700, Tom Eastep
wrote:
> 
> - On a fresh installation, it is preferable to omit the deprecated
>   options. During an upgrade, however, we want to keep those options -
>   especially if they have a non-default value.
> 
>   Today, I modified both the 4.4.20 and 4.4.21 branches to omit the
>   deprecated options from the .conf files (Shorewall, Shorewall6 and
>   their samples).
> 
> - I''m particularly uncomfortable with the idea of modifying
users''
>   configurations during an upgrade. I prefer to make it an optional
>   post-installation step initiated by the user.
> 
Tom,

This fits with my idea of a sensible way of handling this.  From the
Debian packaging side, if shorewall.conf contains local modifications,
any changes in the shorewall.conf shipped with the package must be
dealt with by the admin on upgrade.  In the event that there is no
interactive terminal attached, the default is to keep the old
configuration unmodified and save the packages new default configuration
file alongside.

Incidentally, for users of unstable, these sorts of things tend to come
along in bite-sized pieces.  However, when doing a dist-upgrade from one
stable release to another there are lots of changes.  For that reason I
try to avoid gratiutious changes to configuration files.

What I plan to do, though, is to ship the config file without the
deprecated options.  The Debian package upgrade process will make it
relatively painless for the admin to deal with the change.  If the admin
chooses to do nothing then things should continue to work with the older
configuration file.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On 6/12/11 6:15 PM, Roberto C. Sánchez wrote:
> On Sun, Jun 12, 2011 at 06:02:19PM -0700, Tom Eastep wrote:
>>
>> - On a fresh installation, it is preferable to omit the deprecated
>>   options. During an upgrade, however, we want to keep those options -
>>   especially if they have a non-default value.
>>
>>   Today, I modified both the 4.4.20 and 4.4.21 branches to omit the
>>   deprecated options from the .conf files (Shorewall, Shorewall6 and
>>   their samples).
>>
>> - I''m particularly uncomfortable with the idea of modifying
users''
>>   configurations during an upgrade. I prefer to make it an optional
>>   post-installation step initiated by the user.
>
> This fits with my idea of a sensible way of handling this.  From the
> Debian packaging side, if shorewall.conf contains local modifications,
> any changes in the shorewall.conf shipped with the package must be
> dealt with by the admin on upgrade.  In the event that there is no
> interactive terminal attached, the default is to keep the old
> configuration unmodified and save the packages new default configuration
> file alongside.
Agreed.

And the environment where there is no interactive terminal attached
makes me nervous about modifying the user''s configuration.
> 
> Incidentally, for users of unstable, these sorts of things tend to come
> along in bite-sized pieces.
Also agreed. I suspect that if Mr Dash Four ran Debian, he would not
have developed these scripts since the Debian upgrade process would have
made the differences between his config and the new one explicit (if he
chose to examine those differences).
> However, when doing a dist-upgrade from one stable release to another
> there are lots of changes.  For that reason I try to avoid
> gratiutious changes to configuration files.
The dist-upgrade scenario is the one that makes me most nervous about
modifying the user''s configuration. Because the user''s
configuration can
be several years out of date with respect to the version being installed.
> 
> What I plan to do, though, is to ship the config file without the
> deprecated options.  The Debian package upgrade process will make it
> relatively painless for the admin to deal with the change.  If the admin
> chooses to do nothing then things should continue to work with the older
> configuration file.
Exactly.

Thanks, Roberto

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

In case it helps, From my perspective as fedora and epel package of
shorewall, I totally concur with Roberto.

sent from my phone.


------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev