Shorewall devel - Apr 2012 - Shorewall 4.5.2 RC 2

RC 2 is ready for testing.

Problems corrected:

1)  The 4.5.1 Shorewall Lite and Shorewall6 Lite installers install the
    wrong SysV init script on Debian and derivatives. That has been
    corrected.

2)  The getparams program now reads the installed shorewallrc file
    rather than ~/.shorewallrc.

3)  The ''load'' and ''reload'' now copy the
''save'' file to the correct
    remote directory. Previously, the file was always copied to
    /etc/$PRODUCT/.

4)  ?IF, ?ELSE and ?ENDIF now work within embedded Shell and Perl
    scripts.

5)  The ''shorewall6 dump'' command now reads the Shorewall
version file
    from the correct directory when $SHAREDIR != /usr/share/.

6)  An extraneous character was removed from ifupdown.sh.

Thank you for testing.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

Tom

The attached minimal config. produces the following error messages:

/bin/sh: Syntax error: Unterminated quoted string
   ERROR: SHELL Script failed : /etc/shorewallC1/rules (line 15)

This worked with RC1 and previous releases.

Steven.


------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/08/2012 05:58 AM, Steven Jan Springl wrote:
> The attached minimal config. produces the following error messages:
> 
> /bin/sh: Syntax error: Unterminated quoted string
>    ERROR: SHELL Script failed : /etc/shorewallC1/rules (line 15)
> 
> This worked with RC1 and previous releases.
The attached patch seems to resolve the issue.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/08/2012 05:58 AM, Steven Jan Springl wrote:
> The attached minimal config. produces the following error messages:
> 
> /bin/sh: Syntax error: Unterminated quoted string
>    ERROR: SHELL Script failed : /etc/shorewallC1/rules (line 15)
> 
> This worked with RC1 and previous releases.
Steven,

Here is a related patch the avoids deleting leading whitespace and blank
lines in embedded Perl and Shell. Such deletion could affect multi-line
quoting.

Thanks,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

Tom

I have applied both patches.

The original issue has been fixed.

--------------------------------------------------------------

When the rules file contains:

BEGIN SHELL
echo "DROP	fw	lan	tcp	80"
echo "DROP	fw	lan	tcp	81,82"
END SHELL

The following error message is produced:

ERROR: Invalid/Unknown tcp port/service (80echo) : 
SHELL@/etc/shorewallC1/rules:16 (line 1)

Steven.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 4/8/12 9:28 AM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>
>BEGIN SHELL
>echo "DROP	fw	lan	tcp	80"
>echo "DROP	fw	lan	tcp	81,82"
>END SHELL
>
>The following error message is produced:
>
>ERROR: Invalid/Unknown tcp port/service (80echo) :
>SHELL@/etc/shorewallC1/rules:16 (line 1)
The attached patch corrects it for me.

Thanks, Steven

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Sunday 08 Apr 2012 19:20:15 Tom Eastep wrote:
> On 4/8/12 9:28 AM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
> >BEGIN SHELL
> >echo "DROP	fw	lan	tcp	80"
> >echo "DROP	fw	lan	tcp	81,82"
> >END SHELL
> >
> >The following error message is produced:
> >
> >ERROR: Invalid/Unknown tcp port/service (80echo) :
> >SHELL@/etc/shorewallC1/rules:16 (line 1)
> 
> The attached patch corrects it for me.
> 
> Thanks, Steven
> 
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 4/8/12 2:50 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>
>Confirmed, the patch fixes the issue.
Thanks, Steven

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

Tom

Rule:

SHELL  echo  "#DROP  fw  wan  tcp  80"

produces the following error messages:

/bin/sh: Syntax error: Unterminated quoted string
ERROR: SHELL Script failed : /etc/shorewallT8/rules (line 15)

Steven.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/09/2012 06:56 AM, Steven Jan Springl wrote:
> Rule:
> 
> SHELL  echo  "#DROP  fw  wan  tcp  80"
> 
> produces the following error messages:
> 
> /bin/sh: Syntax error: Unterminated quoted string
> ERROR: SHELL Script failed : /etc/shorewallT8/rules (line 15)
Steven,

Doesn''t this happen on prior versions as well?

Thanks,
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Monday 09 Apr 2012 18:13:48 Tom Eastep wrote:
> On 04/09/2012 06:56 AM, Steven Jan Springl wrote:
> > Rule:
> > 
> > SHELL  echo  "#DROP  fw  wan  tcp  80"
> > 
> > produces the following error messages:
> > 
> > /bin/sh: Syntax error: Unterminated quoted string
> > ERROR: SHELL Script failed : /etc/shorewallT8/rules (line 15)
> 
> Steven,
> 
> Doesn''t this happen on prior versions as well?
> 
> Thanks,
> -Tom
Tom

I have just tried RC1 and the problem occurs on that release also.

Steven.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/09/2012 10:13 AM, Tom Eastep wrote:
> On 04/09/2012 06:56 AM, Steven Jan Springl wrote:
> 
>> Rule:
>>
>> SHELL  echo  "#DROP  fw  wan  tcp  80"
>>
>> produces the following error messages:
>>
>> /bin/sh: Syntax error: Unterminated quoted string
>> ERROR: SHELL Script failed : /etc/shorewallT8/rules (line 15)
> 
> Doesn''t this happen on prior versions as well?
The attached patch should correct this issue.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Monday 09 Apr 2012 19:09:28 Tom Eastep wrote:
> On 04/09/2012 10:13 AM, Tom Eastep wrote:
> > On 04/09/2012 06:56 AM, Steven Jan Springl wrote:
> >> Rule:
> >> 
> >> SHELL  echo  "#DROP  fw  wan  tcp  80"
> >> 
> >> produces the following error messages:
> >> 
> >> /bin/sh: Syntax error: Unterminated quoted string
> >> ERROR: SHELL Script failed : /etc/shorewallT8/rules (line 15)
> > 
> > Doesn''t this happen on prior versions as well?
> 
> The attached patch should correct this issue.
> 
> Thanks, Steven
> 
> -Tom
Tom

Unfortunately the patch has not worked. The messages are still produced.

Steven.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/09/2012 12:35 PM, Steven Jan Springl wrote:
> On Monday 09 Apr 2012 19:09:28 Tom Eastep wrote:
>> On 04/09/2012 10:13 AM, Tom Eastep wrote:
>>> On 04/09/2012 06:56 AM, Steven Jan Springl wrote:
>>>> Rule:
>>>>
>>>> SHELL  echo  "#DROP  fw  wan  tcp  80"
>>>>
>>>> produces the following error messages:
>>>>
>>>> /bin/sh: Syntax error: Unterminated quoted string
>>>> ERROR: SHELL Script failed : /etc/shorewallT8/rules (line 15)
>>>
>>> Doesn''t this happen on prior versions as well?
>>
>> The attached patch should correct this issue.
> 
> Unfortunately the patch has not worked. The messages are still produced.
Steven,

This ''bug'' has been in the compiler for a long time. The
attached patch
(on top of the earlier one) corrects it.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/09/2012 12:55 PM, Tom Eastep wrote:
> On 04/09/2012 12:35 PM, Steven Jan Springl wrote:
>> On Monday 09 Apr 2012 19:09:28 Tom Eastep wrote:
>>> On 04/09/2012 10:13 AM, Tom Eastep wrote:
>>>> On 04/09/2012 06:56 AM, Steven Jan Springl wrote:
>>>>> Rule:
>>>>>
>>>>> SHELL  echo  "#DROP  fw  wan  tcp  80"
>>>>>
>>>>> produces the following error messages:
>>>>>
>>>>> /bin/sh: Syntax error: Unterminated quoted string
>>>>> ERROR: SHELL Script failed : /etc/shorewallT8/rules (line
15)
>>>>
>>>> Doesn''t this happen on prior versions as well?
>>>
>>> The attached patch should correct this issue.
>>
>> Unfortunately the patch has not worked. The messages are still
produced.
> 
> Steven,
> 
> This ''bug'' has been in the compiler for a long time. The
attached patch
> (on top of the earlier one) corrects it.
The fix may have a defect -- I''m seeing differences in the generated
ruleset while running regression tests.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Monday 09 Apr 2012 21:56:57 Tom Eastep wrote:
> On 04/09/2012 12:55 PM, Tom Eastep wrote:
> > On 04/09/2012 12:35 PM, Steven Jan Springl wrote:
> >> On Monday 09 Apr 2012 19:09:28 Tom Eastep wrote:
> >>> On 04/09/2012 10:13 AM, Tom Eastep wrote:
> >>>> On 04/09/2012 06:56 AM, Steven Jan Springl wrote:
> >>>>> Rule:
> >>>>> 
> >>>>> SHELL  echo  "#DROP  fw  wan  tcp  80"
> >>>>> 
> >>>>> produces the following error messages:
> >>>>> 
> >>>>> /bin/sh: Syntax error: Unterminated quoted string
> >>>>> ERROR: SHELL Script failed : /etc/shorewallT8/rules
(line 15)
> >>>> 
> >>>> Doesn''t this happen on prior versions as well?
> >>> 
> >>> The attached patch should correct this issue.
> >> 
> >> Unfortunately the patch has not worked. The messages are still
produced.
> > 
> > Steven,
> > 
> > This ''bug'' has been in the compiler for a long time.
The attached patch
> > (on top of the earlier one) corrects it.
> 
> The fix may have a defect -- I''m seeing differences in the
generated
> ruleset while running regression tests.
> 
> -Tom
Tom

I can confirm the patch resolves the issue. However it does cause a futher 
problem. Rule:

{ACTION=DROP  SOURCE=fw  DEST=lan  PROTO=udp}  #

produces the following error message:

ERROR: Unknown ACTION ({ACTION=DROP) : /etc/shorewallT8/rules (line 17)

Steven

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/09/2012 01:56 PM, Tom Eastep wrote:
> 
> The fix may have a defect -- I''m seeing differences in the
generated
> ruleset while running regression tests.
> 
Steven,

The problem turned out to be ''first-entry'' processing. That
was
happening before the first non-omitted non-commentary entry in a file
was found. Corrected by the attached patch.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/09/2012 02:33 PM, Steven Jan Springl wrote:
> 
> I can confirm the patch resolves the issue. However it does cause a futher 
> problem. Rule:
> 
> {ACTION=DROP  SOURCE=fw  DEST=lan  PROTO=udp}  #
> 
> produces the following error message:
> 
> ERROR: Unknown ACTION ({ACTION=DROP) : /etc/shorewallT8/rules (line 17)
Steven,

I''m not seeing that behavior -- is this re-producible after applying
the
last patch I sent (SINGLELINE2.patch)?

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Monday 09 Apr 2012 22:40:30 Tom Eastep wrote:
> On 04/09/2012 01:56 PM, Tom Eastep wrote:
> > The fix may have a defect -- I''m seeing differences in the
generated
> > ruleset while running regression tests.
> 
> Steven,
> 
> The problem turned out to be ''first-entry'' processing.
That was
> happening before the first non-omitted non-commentary entry in a file
> was found. Corrected by the attached patch.
> 
> Thanks,
> -Tom
Tom

Confirmed, the patch fixes the issue and my last reported issue also.

Thanks

Steven.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/09/2012 02:48 PM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue and my last reported issue also.
> 
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

Tom

In the attached config. accounting entry:

RPFILTER:COUNT  -  -  eth0

generates the following iptables rule:

-A INPUT -o eth0 -j RPFILTER

which produces the following error message:

iptables-restore v1.4.13: Can''t use -o with INPUT

Additionally accounting entry:

RPFILTER:COUNT  -  eth0  -

generates the following iptables rule:

-A OUTPUT -i eth0 -j RPFILTER

which produces the following error message:

ptables-restore v1.4.13: Can''t use -i with OUTPUT

Note, neither of these errors occur if OPTIMIZE=0 is specified.

Steven.


------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 4/9/12 3:14 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>Tom
>
>In the attached config. accounting entry:
>
>RPFILTER:COUNT  -  -  eth0
>
>generates the following iptables rule:
>
>-A INPUT -o eth0 -j RPFILTER
>
>which produces the following error message:
>
>iptables-restore v1.4.13: Can''t use -o with INPUT
>
>Additionally accounting entry:
>
>RPFILTER:COUNT  -  eth0  -
>
>generates the following iptables rule:
>
>-A OUTPUT -i eth0 -j RPFILTER
>
>which produces the following error message:
>
>ptables-restore v1.4.13: Can''t use -i with OUTPUT
>
>Note, neither of these errors occur if OPTIMIZE=0 is specified.
Steven,

If we make any change here, it will be in the documentation. The entire
reason for adding sections to the accounting file was to be able to detect
this particular issue.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Tuesday 10 Apr 2012 00:32:08 Tom Eastep wrote:
> On 4/9/12 3:14 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
> >Tom
> >
> >In the attached config. accounting entry:
> >
> >RPFILTER:COUNT  -  -  eth0
> >
> >generates the following iptables rule:
> >
> >-A INPUT -o eth0 -j RPFILTER
> >
> >which produces the following error message:
> >
> >iptables-restore v1.4.13: Can''t use -o with INPUT
> >
> >Additionally accounting entry:
> >
> >RPFILTER:COUNT  -  eth0  -
> >
> >generates the following iptables rule:
> >
> >-A OUTPUT -i eth0 -j RPFILTER
> >
> >which produces the following error message:
> >
> >ptables-restore v1.4.13: Can''t use -i with OUTPUT
> >
> >Note, neither of these errors occur if OPTIMIZE=0 is specified.
> 
> Steven,
> 
> If we make any change here, it will be in the documentation. The entire
> reason for adding sections to the accounting file was to be able to detect
> this particular issue.
> 
Tom

I happy with that.

Thanks.

Steven.

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 4/9/12 4:32 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>On 4/9/12 3:14 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>
>>Tom
>>
>>In the attached config. accounting entry:
>>
>>RPFILTER:COUNT  -  -  eth0
>>
>>generates the following iptables rule:
>>
>>-A INPUT -o eth0 -j RPFILTER
>>
>>which produces the following error message:
>>
>>iptables-restore v1.4.13: Can''t use -o with INPUT
>>
>>Additionally accounting entry:
>>
>>RPFILTER:COUNT  -  eth0  -
>>
>>generates the following iptables rule:
>>
>>-A OUTPUT -i eth0 -j RPFILTER
>>
>>which produces the following error message:
>>
>>ptables-restore v1.4.13: Can''t use -i with OUTPUT
>>
>>Note, neither of these errors occur if OPTIMIZE=0 is specified.
>
>Steven,
>
>If we make any change here, it will be in the documentation. The entire
>reason for adding sections to the accounting file was to be able to detect
>this particular issue.
I realized that this may be something that was broken in this release.
Please verify with the attached patch.

Thanks, Steven 

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

On 4/9/12 5:03 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>On 4/9/12 4:32 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
>
>>On 4/9/12 3:14 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>>
>>>Tom
>>>
>>>In the attached config. accounting entry:
>>>
>>>RPFILTER:COUNT  -  -  eth0
>>>
>>>generates the following iptables rule:
>>>
>>>-A INPUT -o eth0 -j RPFILTER
>>>
>>>which produces the following error message:
>>>
>>>iptables-restore v1.4.13: Can''t use -o with INPUT
>>>
>>>Additionally accounting entry:
>>>
>>>RPFILTER:COUNT  -  eth0  -
>>>
>>>generates the following iptables rule:
>>>
>>>-A OUTPUT -i eth0 -j RPFILTER
>>>
>>>which produces the following error message:
>>>
>>>ptables-restore v1.4.13: Can''t use -i with OUTPUT
>>>
>>>Note, neither of these errors occur if OPTIMIZE=0 is specified.
>>
>>Steven,
>>
>>If we make any change here, it will be in the documentation. The entire
>>reason for adding sections to the accounting file was to be able to
>>detect
>>this particular issue.
>
>I realized that this may be something that was broken in this release.
>Please verify with the attached patch.
Steven,

Please try this patch instead. I don''t think this was broken in this
release but it seems to avoid all accounting rule optimization when
OPTIMIZE_ACCOUNTING=No.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

On 4/9/12 6:06 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>On 4/9/12 5:03 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
>
>>On 4/9/12 4:32 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
>>
>>>On 4/9/12 3:14 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org>
>>>wrote:
>>>
>>>>Tom
>>>>
>>>>In the attached config. accounting entry:
>>>>
>>>>RPFILTER:COUNT  -  -  eth0
>>>>
>>>>generates the following iptables rule:
>>>>
>>>>-A INPUT -o eth0 -j RPFILTER
>>>>
>>>>which produces the following error message:
>>>>
>>>>iptables-restore v1.4.13: Can''t use -o with INPUT
>>>>
>>>>Additionally accounting entry:
>>>>
>>>>RPFILTER:COUNT  -  eth0  -
>>>>
>>>>generates the following iptables rule:
>>>>
>>>>-A OUTPUT -i eth0 -j RPFILTER
>>>>
>>>>which produces the following error message:
>>>>
>>>>ptables-restore v1.4.13: Can''t use -i with OUTPUT
>>>>
>>>>Note, neither of these errors occur if OPTIMIZE=0 is specified.
>>>
>>>Steven,
>>>
>>>If we make any change here, it will be in the documentation. The
entire
>>>reason for adding sections to the accounting file was to be able to
>>>detect
>>>this particular issue.
>>
>>I realized that this may be something that was broken in this release.
>>Please verify with the attached patch.
>
>Steven,
>
>Please try this patch instead.
Patch attached this time.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

> >
> >Steven,
> >
> >Please try this patch instead.
> 
> Patch attached this time.
> 
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
Tom

Confirmed, OPTIMIZE_ACCOUNTING now works.

I have finished my testing of RC2.

Steven.

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

On 04/10/2012 04:26 AM, Steven Jan Springl wrote:
>
> 
> Confirmed, OPTIMIZE_ACCOUNTING now works.
> 
> I have finished my testing of RC2.
Thank you, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev