Tom If tcrules contains the following entry: 1:130:P 10.1.1.0/24 eth0 shorewall debug start produces the following messages: iptables: Invalid argument. Run `dmesg'' for more information. ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -s 10.1.1.0/24 -d 192.168.0.0/24 -j CLASSIFY --set-class 1:130" Failed dmesg produces the following message: [ 2927.689744] x_tables: ip_tables: CLASSIFY target: used from hooks PREROUTING, but only usable from FORWARD/OUTPUT/POSTROUTING Steven. ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Wed, 2011-12-28 at 20:13 +0000, Steven Jan Springl wrote:> If tcrules contains the following entry: > > 1:130:P 10.1.1.0/24 eth0 > > shorewall debug start produces the following messages: > > iptables: Invalid argument. Run `dmesg'' for more information. > > ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -s 10.1.1.0/24 -d > 192.168.0.0/24 -j CLASSIFY --set-class 1:130" Failed > > dmesg produces the following message: > > [ 2927.689744] x_tables: ip_tables: CLASSIFY target: used from hooks > PREROUTING, but only usable from FORWARD/OUTPUT/POSTROUTINGOkay -- I''ll eliminate the ''P'' choice from the code and documentation. Thanks, Steven -Tom PS -- please let me know when you have finished RC2 testing. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Wednesday 28 Dec 2011 22:00:26 Tom Eastep wrote:> On Wed, 2011-12-28 at 20:13 +0000, Steven Jan Springl wrote: > > If tcrules contains the following entry: > > > > 1:130:P 10.1.1.0/24 eth0 > > > > shorewall debug start produces the following messages: > > > > iptables: Invalid argument. Run `dmesg'' for more information. > > > > ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -s 10.1.1.0/24 -d > > 192.168.0.0/24 -j CLASSIFY --set-class 1:130" Failed > > > > dmesg produces the following message: > > > > [ 2927.689744] x_tables: ip_tables: CLASSIFY target: used from hooks > > PREROUTING, but only usable from FORWARD/OUTPUT/POSTROUTING > > Okay -- I''ll eliminate the ''P'' choice from the code and documentation. > > Thanks, Steven > > -Tom > > PS -- please let me know when you have finished RC2 testing.Tom I have done some further testing of '':P'' and '':F'' and have found that: '':F'' produces an iptables error if DEST is fw. '':P'' produces an iptables error if DEST is fw. '':P'' produces an iptables error if SOURCE is not fw. Steven. ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Dec 28, 2011, at 2:46 PM, Steven Jan Springl wrote:> On Wednesday 28 Dec 2011 22:00:26 Tom Eastep wrote: >> On Wed, 2011-12-28 at 20:13 +0000, Steven Jan Springl wrote: >>> If tcrules contains the following entry: >>> >>> 1:130:P 10.1.1.0/24 eth0 >>> >>> shorewall debug start produces the following messages: >>> >>> iptables: Invalid argument. Run `dmesg'' for more information. >>> >>> ERROR: Command "/usr/local/sbin/iptables -A PREROUTING -s 10.1.1.0/24 -d >>> 192.168.0.0/24 -j CLASSIFY --set-class 1:130" Failed >>> >>> dmesg produces the following message: >>> >>> [ 2927.689744] x_tables: ip_tables: CLASSIFY target: used from hooks >>> PREROUTING, but only usable from FORWARD/OUTPUT/POSTROUTING >> >> Okay -- I''ll eliminate the ''P'' choice from the code and documentation. >> >> Thanks, Steven >> >> -Tom >> >> PS -- please let me know when you have finished RC2 testing. > > Tom > > I have done some further testing of '':P'' and '':F'' and have found that: > > '':F'' produces an iptables error if DEST is fw. > > '':P'' produces an iptables error if DEST is fw. > > '':P'' produces an iptables error if SOURCE is not fw.Steven, I''ll look at this in the morning. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Wed, 2011-12-28 at 22:46 +0000, Steven Jan Springl wrote:> I have done some further testing of '':P'' and '':F'' and have found that: > > '':F'' produces an iptables error if DEST is fw. > > '':P'' produces an iptables error if DEST is fw. > > '':P'' produces an iptables error if SOURCE is not fw.Steven, This patch eliminates '':P'' and complains if :F is used when the SOURCE or DEST is $FW. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Wed, 2011-12-28 at 22:46 +0000, Steven Jan Springl wrote:> I have done some further testing of '':P'' and '':F'' and have found that: > > '':F'' produces an iptables error if DEST is fw. > > '':P'' produces an iptables error if DEST is fw. > > '':P'' produces an iptables error if SOURCE is not fw.Steven, This patch eliminates '':P'' and complains if :F is used when the SOURCE or DEST is $FW. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Thursday 29 Dec 2011 16:05:18 Tom Eastep wrote:> On Wed, 2011-12-28 at 22:46 +0000, Steven Jan Springl wrote: > > I have done some further testing of '':P'' and '':F'' and have found that: > > > > '':F'' produces an iptables error if DEST is fw. > > > > '':P'' produces an iptables error if DEST is fw. > > > > '':P'' produces an iptables error if SOURCE is not fw. > > Steven, > > This patch eliminates '':P'' and complains if :F is used when the SOURCE > or DEST is $FW. > > Thanks, > -TomTom The patch fixes the above issues. However, if DEST contains fw and an IP address e.g. 1:130:F 10.1.1.0/24 fw:1.1.1.1 the iptables error still occurs. My testing indicated that specifying a source of fw is valid for :F. Should Shorewall not allow this? Steven. ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Thu, 2011-12-29 at 20:12 +0000, Steven Jan Springl wrote:> The patch fixes the above issues. > > However, if DEST contains fw and an IP address e.g. > > 1:130:F 10.1.1.0/24 fw:1.1.1.1 > > the iptables error still occurs. > > My testing indicated that specifying a source of fw is valid for :F. > Should Shorewall not allow this?Steven, No. Traffic that originates on the firewall does not traverse the FORWARD chain. The reason that it was previously working for you is that the compiler was silently substituting OUTPUT for FORWARD. Now it is generating an error. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Thu, 2011-12-29 at 13:18 -0800, Tom Eastep wrote:> On Thu, 2011-12-29 at 20:12 +0000, Steven Jan Springl wrote: > > The patch fixes the above issues. > > > > However, if DEST contains fw and an IP address e.g. > > > > 1:130:F 10.1.1.0/24 fw:1.1.1.1 > > > > the iptables error still occurs. > > > > My testing indicated that specifying a source of fw is valid for :F. > > Should Shorewall not allow this? > > Steven, > > No. Traffic that originates on the firewall does not traverse the > FORWARD chain. The reason that it was previously working for you is that > the compiler was silently substituting OUTPUT for FORWARD. Now it is > generating an error.I believe that this patch catches all cases that should not be supported. Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Friday 30 Dec 2011 15:23:59 Tom Eastep wrote:> On Thu, 2011-12-29 at 13:18 -0800, Tom Eastep wrote: > > On Thu, 2011-12-29 at 20:12 +0000, Steven Jan Springl wrote: > > > The patch fixes the above issues. > > > > > > However, if DEST contains fw and an IP address e.g. > > > > > > 1:130:F 10.1.1.0/24 fw:1.1.1.1 > > > > > > the iptables error still occurs. > > > > > > My testing indicated that specifying a source of fw is valid for :F. > > > Should Shorewall not allow this? > > > > Steven, > > > > No. Traffic that originates on the firewall does not traverse the > > FORWARD chain. The reason that it was previously working for you is that > > the compiler was silently substituting OUTPUT for FORWARD. Now it is > > generating an error. > > I believe that this patch catches all cases that should not be > supported. > > Thanks, Steven > > -TomTom Confirmed, the patch fixes the issue. I have completed my testing. Thanks. Steven. ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
On Fri, 2011-12-30 at 15:55 +0000, Steven Jan Springl wrote:> Confirmed, the patch fixes the issue. > > I have completed my testing.Thank you, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don''t need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox