Beta 3 is now available for testing. In this release: 1. The contents of the NET2 column of the Shorewall6 netmap file are now validated by the compiler. Previously, they were not validated which could cause iptables-restore to fail. 2. Support has been added for ''condition match''. Condition match is available from xtables-addons and implements the ability to have "switches" (conditions) that can be turned on and off in /proc/net/nf_condition/<condition name>. To support condition match, a CONDITION column has been added to the rules file. The contents of that column is the name of a condition; Shorewall requires that condition names begin with a letter and be composed of letters, numbers or ''_''. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2
Tom ''shorewall show capabilities'' indicates that condition match is available. If I create a capabilities, shorewall allows a condition name to be specified. If the capabilities file does not exist, specifying a condition name produces the following message: ERROR: A non-empty CONDITION column requires Condition Match in your kernel and iptables : /etc/shorewallT6/rules (line 16) ---------------------------------------------------------------------------------------------------------------------------- The rules manual page indicates that inversion may be used in the condition column. Specifying !telnet in the condition column produces the following message: ERROR: Invalid condition name (!telnet) : /etc/shorewallT6/rules (line 16) Steven. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2
On Fri, 2011-09-23 at 22:44 +0100, Steven Jan Springl wrote:> ''shorewall show capabilities'' indicates that condition match is available. > > If I create a capabilities, shorewall allows a condition name to be specified. > > If the capabilities file does not exist, specifying a condition name produces > the following message: > > ERROR: A non-empty CONDITION column requires Condition Match in your kernel > and iptables : /etc/shorewallT6/rules (line 16) > > ---------------------------------------------------------------------------------------------------------------------------- > > The rules manual page indicates that inversion may be used in the condition > column. > > Specifying !telnet in the condition column produces the following message: > > ERROR: Invalid condition name (!telnet) : /etc/shorewallT6/rules (line 16)Steven, The attached patch and module should fix these. I''m including the entire Chains module because I''ve renamed to CONDITION column to SWITCH and a patch would not apply cleanly to your copy of the module. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2
On Fri, 2011-09-23 at 22:44 +0100, Steven Jan Springl wrote:> T > ''shorewall show capabilities'' indicates that condition match is available. > > If I create a capabilities, shorewall allows a condition name to be specified. > > If the capabilities file does not exist, specifying a condition name produces > the following message: > > ERROR: A non-empty CONDITION column requires Condition Match in your kernel > and iptables : /etc/shorewallT6/rules (line 16) > > ---------------------------------------------------------------------------------------------------------------------------- > > The rules manual page indicates that inversion may be used in the condition > column. > > Specifying !telnet in the condition column produces the following message: > > ERROR: Invalid condition name (!telnet) : /etc/shorewallT6/rules (line 16) >Steven, Here''s a patch for the first problem. I''m sending you the Chains.pm module by private mail. I''ve renamed the CONDITION column to SWITCH and a patch to fix the second problem won''t apply to your version. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2
On Friday 23 September 2011 23:30:00 Tom Eastep wrote:> On Fri, 2011-09-23 at 22:44 +0100, Steven Jan Springl wrote: > > T > > ''shorewall show capabilities'' indicates that condition match is > > available. > > > > If I create a capabilities, shorewall allows a condition name to be > > specified. > > > > If the capabilities file does not exist, specifying a condition name > > produces the following message: > > > > ERROR: A non-empty CONDITION column requires Condition Match in your > > kernel and iptables : /etc/shorewallT6/rules (line 16) > > > > ------------------------------------------------------------------------- > >--------------------------------------------------- > > > > The rules manual page indicates that inversion may be used in the > > condition column. > > > > Specifying !telnet in the condition column produces the following > > message: > > > > ERROR: Invalid condition name (!telnet) : /etc/shorewallT6/rules (line > > 16) > > Steven, > > Here''s a patch for the first problem. I''m sending you the Chains.pm > module by private mail. I''ve renamed the CONDITION column to SWITCH and > a patch to fix the second problem won''t apply to your version. > > -TomTom Confirmed, both problems are fixed. Thanks. Steven. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2
Tom If a switch name is greater than 30 characters, the following error message is produced: iptables-restore v1.4.12.1: File name too long Steven. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2
On Sep 23, 2011, at 4:08 PM, Steven Jan Springl wrote:> If a switch name is greater than 30 characters, the following error message is > produced: > > iptables-restore v1.4.12.1: File name too longSteven, This patch should catch long switch names. Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2
On Fri, 2011-09-23 at 20:40 -0700, Tom Eastep wrote:> On Sep 23, 2011, at 4:08 PM, Steven Jan Springl wrote: > > > If a switch name is greater than 30 characters, the following error message is > > produced: > > > > iptables-restore v1.4.12.1: File name too long > > Steven, > > This patch should catch long switch names. >Steven, Please note that the patch limits switch names to 29 characters; I''ve changed that to 30 in my tree. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2
On Saturday 24 September 2011 15:21:41 Tom Eastep wrote:> On Fri, 2011-09-23 at 20:40 -0700, Tom Eastep wrote: > > On Sep 23, 2011, at 4:08 PM, Steven Jan Springl wrote: > > > If a switch name is greater than 30 characters, the following error > > > message is produced: > > > > > > iptables-restore v1.4.12.1: File name too long > > > > Steven, > > > > This patch should catch long switch names. > > Steven, > > Please note that the patch limits switch names to 29 characters; I''ve > changed that to 30 in my tree. > > Thanks, > -TomTom Confirmed, the patch solves the problem. Thanks. Steven. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2
On Sat, 2011-09-24 at 15:41 +0100, Steven Jan Springl wrote:> > Confirmed, the patch solves the problem. >Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. p.sf.net/sfu/splunk-d2dcopy2