Shorewall devel - Jul 2011 - Shorewall 4.4.22 RC 1

RC 1 is now available for testing. 

Problems corrected:

1)  Under rare conditions, long port lists (>15 ports) could result in

    the following failure when optimization level 4 was enabled.

       Use of uninitialized value in numeric gt (>) 
       at /usr/share/shorewall/Shorewall/Chains.pm line 1264.

       ERROR: Internal error in
       Shorewall::Chains::decrement_reference_count at
       /usr/share/shorewall/Shorewall/Chains.pm line 1264

2)  Numerous problems reported by Steven Springl.

New Features:

1)  Optimize level 8 causes chains that are identical to another chain
    to be deleted, and their references are replace by references to
    the other chain. This can lead to confusion when looking at the
    generated ruleset. For example, traffic going from the
''loc'' zone
    to the ''dmz'' zone may now be passing through a chain named
    ''wan2dmz''!

    To eliminate this confusion, the compiler now generates a
    synthetic name for the combined chains, consisting of "~comb"
    followed by an integer (e.g., "~comb1", "~comb2", etc.).

Thank you for testing,
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

Tom

A user on IRC reported an issue with kernel 3.0 where the sublevel is not 
specified.

I have generated a kernel with a release name "uname -r" 3.0-shorewall

Both shorewall and shorewall6 produce the following error message:

ERROR: Unrecognized Kernel Version Format (3.0-shorewall
)

Steven. 


------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

On Jul 27, 2011, at 3:52 PM, Steven Jan Springl wrote:
> A user on IRC reported an issue with kernel 3.0 where the sublevel is not 
> specified.
> 
> I have generated a kernel with a release name "uname -r"
3.0-shorewall
> 
> Both shorewall and shorewall6 produce the following error message:
> 
> ERROR: Unrecognized Kernel Version Format (3.0-shorewall
> )
Steven,

See how the attached patch works.

Thanks,
-Tom




Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

On Thursday 28 July 2011 00:49:44 Tom Eastep wrote:
> On Jul 27, 2011, at 3:52 PM, Steven Jan Springl wrote:
> > A user on IRC reported an issue with kernel 3.0 where the sublevel is
not
> > specified.
> >
> > I have generated a kernel with a release name "uname -r"
3.0-shorewall
> >
> > Both shorewall and shorewall6 produce the following error message:
> >
> > ERROR: Unrecognized Kernel Version Format (3.0-shorewall
> > )
>
> Steven,
>
> See how the attached patch works.
>
> Thanks,
> -Tom
Tom

I have tested the patch using shorewall & shorewall6 with kernels (uname
-r):

2.6.39.10
3.0.0
3.0-shorewall

The patch works in all cases.

Steven.

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

On Thu, 2011-07-28 at 16:07 +0100, Steven Jan Springl wrote:
> I have tested the patch using shorewall & shorewall6 with kernels
(uname -r):
> 
> 2.6.39.10
> 3.0.0
> 3.0-shorewall
> 
> The patch works in all cases.
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

On Thursday 28 July 2011 17:00:05 Tom Eastep wrote:
> On Thu, 2011-07-28 at 16:07 +0100, Steven Jan Springl wrote:
> > I have tested the patch using shorewall & shorewall6 with kernels
(uname
> > -r):
> >
> > 2.6.39.10
> > 3.0.0
> > 3.0-shorewall
> >
> > The patch works in all cases.
>
> Thanks, Steven
>
> -Tom
Tom

I missed this when doing the above testing.

"shorewall6 start" produces the following message:

Starting Shorewall6....
printf: 2276: 3.0: not completely converted

I have attached a copy of /var/lib/shorewall6/.start

The message is not produced by shorewall.

Steven.




------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

On Thu, 2011-07-28 at 17:51 +0100, Steven Jan Springl wrote:
> I missed this when doing the above testing.
> 
> "shorewall6 start" produces the following message:
> 
> Starting Shorewall6....
> printf: 2276: 3.0: not completely converted
> 
> I have attached a copy of /var/lib/shorewall6/.start
> 
> The message is not produced by shorewall.
Steven,

This should fix it.

Thanks,
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

On Thursday 28 July 2011 18:53:24 Tom Eastep wrote:
> On Thu, 2011-07-28 at 17:51 +0100, Steven Jan Springl wrote:
> > I missed this when doing the above testing.
> >
> > "shorewall6 start" produces the following message:
> >
> > Starting Shorewall6....
> > printf: 2276: 3.0: not completely converted
> >
> > I have attached a copy of /var/lib/shorewall6/.start
> >
> > The message is not produced by shorewall.
>
> Steven,
>
> This should fix it.
>
> Thanks,
> -Tom
Tom

Confirmed, the patch has fixed it.

Thanks.

Steven.

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

Thanks, Steven

-Tom

Sent from my iPad

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

Tom

If shorewall.conf does not contain an entry for TCP_FLAGS_DISPOSITION the 
following message is produced:

Use of uninitialized value $val in pattern match (m//) 
at /usr/share/shorewall/Shorewall/Config.pm line 3711.

This also applies to shorewall6.conf.

Steven.


------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

On Thu, 2011-07-28 at 22:27 +0100, Steven Jan Springl wrote:
> Tom
> 
> If shorewall.conf does not contain an entry for TCP_FLAGS_DISPOSITION the 
> following message is produced:
> 
> Use of uninitialized value $val in pattern match (m//) 
> at /usr/share/shorewall/Shorewall/Config.pm line 3711.
> 
> This also applies to shorewall6.conf.
> 

Steven,

This seems to fix it.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

On Thursday 28 July 2011 23:56:14 Tom Eastep wrote:
> On Thu, 2011-07-28 at 22:27 +0100, Steven Jan Springl wrote:
> > Tom
> >
> > If shorewall.conf does not contain an entry for TCP_FLAGS_DISPOSITION
the
> > following message is produced:
> >
> > Use of uninitialized value $val in pattern match (m//)
> > at /usr/share/shorewall/Shorewall/Config.pm line 3711.
> >
> > This also applies to shorewall6.conf.
>
> Steven,
>
> This seems to fix it.
>
> Thanks,
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey

On Fri, 2011-07-29 at 19:16 +0100, Steven Jan Springl wrote:
> Confirmed, the patch fixes the issue.
Thanks, Steven
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don''t ask for help often.
Plus, you''ll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey