Shorewall devel - Nov 2012 - various bugs and suggestions (v4.5.9+)

All of these are for v4.5.9 and (possibly) above:

1. Upon execution of "shorewall compile [file]" the following leftover
exist in the RAW table:

Chain fooXNNNNNN (0 references)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 CT         all  --  *      *       0.0.0.0/0            
0.0.0.0/0            CT notrack
    0     0 CT         all  --  *      *       0.0.0.0/0            
0.0.0.0/0            CT notrack

If I execute "shorewall compile [file]" 20 times, I will have 20 
different chains called "fooXNNNNN" in my raw table.

2. "-r" and "-T" shorewall update options are not
documented.

3. Upon startup, I get the following group of messages:

shorewall[889]:    Priority of the eth0 tcp-ack filter is 266
shorewall[889]:    Priority of the <all other net devices defined and 
used in tcclasses> tcp-ack filter is 266

in tcclasses I have the following, which, to my understanding, is 
correct (e:10 refers to eth0, class number 10):
e:10 - 10*full/100 full 1 tcp-ack

I have similar arrangement for all other interfaces. So, why is the 
allocated priority 266 instead of what I specified (1)?

4. NFLOG ACTION statement not recognised by shorewall.

According to "man shorewall-rules", I can include NFLOG in the ACTION 
column (in a similar fashion as I specify "ACCEPT", "DROP",
"LOG" etc).
This ain''t so:

/etc/shorewall/rules
~~~~~~~~~~~~~~~~~~~~
NFLOG(1,0,1)

gives me "ERROR: Unknown ACTION (NFLOG(1,0,1))". I suffer a similar 
faith if I wish to include the same statement as part of action or a 
macro. Why?

5. LOG action seems to be ignored when used in a user-defined action:

/etc/shorewall/actions
~~~~~~~~~~~~~~~~~~~~~~
C_ACTION    # whatever

/etc/shorewall/action.C_ACTION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LOG

/etc/shorewall/policy
~~~~~~~~~~~~~~~~~~~~~
$FW net DROP:C_ACTION info

produces this:

*filter
[...]
:C_ACTION - [0:0]
[...]
-A fw2net -j C_ACTION
-A fw2net -j LOG --log-level 6 --log-prefix "Shorewall:fw2net:DROP:"
-A fw2net -j DROP

C_ACTION is empty, but it is supposed to contain a single LOG jump or 
give me an error if such log level is not specified. Same goes if I have 
this in my rules file:

C_ACTION $FW net

The above two bugs make it impossible to define a separate (custom) 
action or a macro, incorporating logging of a packet to multiple 
(different) destinations/targets - either via the standard LOG target or 
via NFLOG classes, let alone define a suitable policy incorporating that 
action (or a macro - see next 2 bugs below).

Two use cases:

a) If I wish to have a "custom" action utilising 3 different LOG 
destinations before dropping a packet (say, one local via the standard 
LOG target, one remote using NFLOG class 1 and another NFLOG target for 
class 2) this cannot be achieved, e.g. something like:

/etc/shorewall/action.C_ACTION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LOG:<log_level> # using the log-level specified as parameter to the action
NFLOG(1,0,1)
NFLOG(2,0,1)
DROP

and then utilising it in rules as:

C_ACTION:<log_level>

won''t work.

b) If I wish to define a "default" policy for, say, $FW->net
connections
to utilise a custom action logging a packet to 3 different destinations 
(as in the case I described above) before dropping a packet, like:

/etc/shorewall/action.C_ACTION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LOG:<log_level> # using the log-level specified as parameter to the action
NFLOG(1,0,1)
NFLOG(2,0,1)

and then

/etc/shorewall/policy
~~~~~~~~~~~~~~~~~~~~~
$FW net DROP:C_ACTION <log_level>

that won''t work also.

6. USE_ACTIONS shorewall.conf option is not documented/present - even 
though it is mentioned as part of 
[ACCEPT|DROP|REJECT|NFQUEUE|QUEUE]_DEFAULT option help, there is no 
separate help text describing its function/purpose. It is not included 
as part of the default shorewall.conf either (if it is indeed intended 
for use in shorewall.conf).

7. In "man shorewall-policy" the syntax is described as 
"{ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber)]|NONE}[:{default-action-or-macro|None}]"
where "default-action-or-macro" is the name of an action (if 
USE_ACTIONS=Yes - see previous bug above) or a macro (if 
USE_ACTIONS=No/Not specified?). That doesn''t work for macros.

/etc/shorewall/macro.C_MACRO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
LOG
PARAM

/etc/shorewall/policy
~~~~~~~~~~~~~~~~~~~~~
$FW net DROP:C_MACRO info

gets me "ERROR: Unknown Default Action (C_MACRO)" message. Why?


Finally, two feature requests:

1. Add X:UN|X:U (or similar) option in "secmarks" to support the 
UNTRACKED state ("X" is the base chain - INPUT, OUTPUT, FORWARD).
Example:

secmarks
~~~~~~~~
system_u:object_r:whatever_t:s0 I:UN

to be the equivalent of:

iptables -t mangle -A INPUT -m conntrack --ctstate NEW,UNTRACKED -j 
SECMARK --selctx system_u:object_r:whatever_t:s0

2. Add the ability to include rules in the raw table.

Use case: When I am allocated a (dynamic) IP address from my (external) 
DHCP provider, I am usually a part of a (rather large) subnet containing 
many other users. A while back I started getting a lot of attacks based 
on carefully-crafted packets originating from that (large) subnet and 
destined to my machine.

Since by definition there is a pre-defined route added to encompass the 
entire subnet when my device is allocated an IP address, this allows a 
lot of machines on the subnet an easy access to my own - "by default",
so to speak. To counter that, I black-holed the route to all IP 
addresses from that subnet and left out only my own 
(dynamically-allocated) IP address and the gateway address.

That solved the problem, but brought another one - logging martians as, 
naturally, when a crafted packet arrives on my interface from one of the 
black-holed IP addresses, or worse, originates from my own interface and 
is destined to one of those IP addresses, it gets marked as a martian as 
there is no route to it and I get it logged.

I finally solved that problem by including a (manual) set of rules in my 
raw table which dumps (understand DROPs) these addresses even before a 
routing decision is made. Since the raw table has, to my knowledge, the 
highest priority, I could include rules there which supersede routing or 
connection tracking decisions. In other words, I could have a set of 
rules processed before any connection tracking or routing decision is 
made, which is very handy!

Currently I do this in "init" and "started", but it would be
nice if I
do not hack it like that and am able to add such rules more
"naturally".

I am aware that I could easily block the entire subnet, bar my own and 
the gateway IP addresses via "regular" rules in "rules", but
I wish to
include these *before* any routing or connection-tracking decisions are 
made. I am also aware that there is possible performance penalty from 
this as these rules are processed for *every* packet, but I am willing 
to take that hit.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/18/2012 09:16 AM, Mr Dash Four wrote:
> All of these are for v4.5.9 and (possibly) above:
>
> 1. Upon execution of "shorewall compile [file]" the following
leftover
> exist in the RAW table:
>
> Chain fooXNNNNNN (0 references)
>   pkts bytes target     prot opt in     out     source
> destination
>      0     0 CT         all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            CT notrack
>      0     0 CT         all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            CT notrack
>
> If I execute "shorewall compile [file]" 20 times, I will have 20
> different chains called "fooXNNNNN" in my raw table.
I''m unable to reproduce that problem.

root@gateway:~# shorewall -qqq compile foobaroo
Compiling...
root@gateway:~# shorewall show raw
Shorewall 4.5.9.2 RAW Table at gateway - Sun Nov 18 10:05:26 PST 2012

Counters reset Sun Nov 18 09:54:28 PST 2012

Chain PREROUTING (policy ACCEPT 197 packets, 78273 bytes)
 pkts bytes target     prot opt in     out     source destination
 3846  356K loc_ctrk   all  --  eth2   *       172.20.1.0/24 0.0.0.0/0
    0     0 RETURN     all  --  eth1   *       10.1.10.0/24 0.0.0.0/0
    0     0 RETURN     all  --  eth1   *       0.0.0.0/0 0.0.0.0/0
      match-set subnet src
    0     0 RETURN     all  --  eth0   *       0.0.0.0/0 0.0.0.0/0
      match-set subnet src
   77  7700 NOTRACK    all  --  eth1   *       192.88.99.1 0.0.0.0/0
    0     0 NOTRACK    all  --  eth0   *       192.88.99.1 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 42 packets, 4344 bytes)
 pkts bytes target     prot opt in     out     source destination
    0     0 NOTRACK    udp  --  *      *       0.0.0.0/0 255.255.255.255
    2   476 NOTRACK    udp  --  *      *       0.0.0.0/0 172.20.1.255
    0     0 NOTRACK    udp  --  *      *       0.0.0.0/0 70.90.191.127
  131 13100 NOTRACK    all  --  *      *       0.0.0.0/0 192.88.99.1

Chain loc_ctrk (1 references)
 pkts bytes target     prot opt in     out     source destination
   95  8528 NOTRACK    udp  --  *      *       0.0.0.0/0 172.20.1.255
    2   493 NOTRACK    udp  --  *      *       0.0.0.0/0 255.255.255.255
root@gateway:~#
>
> 2. "-r" and "-T" shorewall update options are not
documented.
The last sentence in the ''update'' section of the manpage is:

   For a description of the other options, see the check command above.
>
> 3. Upon startup, I get the following group of messages:
>
> shorewall[889]:    Priority of the eth0 tcp-ack filter is 266
> shorewall[889]:    Priority of the <all other net devices defined and
> used in tcclasses> tcp-ack filter is 266
>
> in tcclasses I have the following, which, to my understanding, is
> correct (e:10 refers to eth0, class number 10):
> e:10 - 10*full/100 full 1 tcp-ack
>
> I have similar arrangement for all other interfaces. So, why is the
> allocated priority 266 instead of what I specified (1)?
If you want the tcp-ack filter to have priority 1, specify it as
 tcp-ack(1)
>
> 4. NFLOG ACTION statement not recognised by shorewall.
>
> According to "man shorewall-rules", I can include NFLOG in the
ACTION
> column (in a similar fashion as I specify "ACCEPT",
"DROP", "LOG" etc).
> This ain''t so:
>
> /etc/shorewall/rules
> ~~~~~~~~~~~~~~~~~~~~
> NFLOG(1,0,1)
>
> gives me "ERROR: Unknown ACTION (NFLOG(1,0,1))". I suffer a
similar
> faith if I wish to include the same statement as part of action or a
> macro. Why?
That''s an error in the manpage -- to use NFLOG, specify
"LOG:NFLOG(1,0,1)".
>
> 5. LOG action seems to be ignored when used in a user-defined action:
>
> /etc/shorewall/actions
> ~~~~~~~~~~~~~~~~~~~~~~
> C_ACTION    # whatever
>
> /etc/shorewall/action.C_ACTION
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> LOG
Use "LOG:<level>!" (note the ''!''). e.g.,
''LOG:NFLOG(2,0,1)!''
>
> /etc/shorewall/policy
> ~~~~~~~~~~~~~~~~~~~~~
> $FW net DROP:C_ACTION info
>
> produces this:
>
> *filter
> [...]
> :C_ACTION - [0:0]
> [...]
> -A fw2net -j C_ACTION
> -A fw2net -j LOG --log-level 6 --log-prefix
"Shorewall:fw2net:DROP:"
> -A fw2net -j DROP
>
> C_ACTION is empty, but it is supposed to contain a single LOG jump or
> give me an error if such log level is not specified. Same goes if I have
> this in my rules file:
>
> C_ACTION $FW net
>
> The above two bugs make it impossible to define a separate (custom)
> action or a macro, incorporating logging of a packet to multiple
> (different) destinations/targets - either via the standard LOG target or
> via NFLOG classes, let alone define a suitable policy incorporating that
> action (or a macro - see next 2 bugs below).
>
> Two use cases:
>
> a) If I wish to have a "custom" action utilising 3 different LOG
> destinations before dropping a packet (say, one local via the standard
> LOG target, one remote using NFLOG class 1 and another NFLOG target for
> class 2) this cannot be achieved, e.g. something like:
>
> /etc/shorewall/action.C_ACTION
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> LOG:<log_level> # using the log-level specified as parameter to the
action
> NFLOG(1,0,1)
> NFLOG(2,0,1)
> DROP
>
> and then utilising it in rules as:
>
> C_ACTION:<log_level>
>
> won''t work.
>
> b) If I wish to define a "default" policy for, say, $FW->net
connections
> to utilise a custom action logging a packet to 3 different destinations
> (as in the case I described above) before dropping a packet, like:
>
> /etc/shorewall/action.C_ACTION
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> LOG:<log_level> # using the log-level specified as parameter to the
action
> NFLOG(1,0,1)
> NFLOG(2,0,1)
>
> and then
>
> /etc/shorewall/policy
> ~~~~~~~~~~~~~~~~~~~~~
> $FW net DROP:C_ACTION <log_level>
>
> that won''t work also.
>
> 6. USE_ACTIONS shorewall.conf option is not documented/present - even
> though it is mentioned as part of
> [ACCEPT|DROP|REJECT|NFQUEUE|QUEUE]_DEFAULT option help, there is no
> separate help text describing its function/purpose. It is not included
> as part of the default shorewall.conf either (if it is indeed intended
> for use in shorewall.conf).
That option was removed some time ago and is now hard-wired to
''Yes''.
I''ll update the manpages as time permits.
>
> 7. In "man shorewall-policy" the syntax is described as
>
"{ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber)]|NONE}[:{default-action-or-macro|None}]"
> where "default-action-or-macro" is the name of an action (if
> USE_ACTIONS=Yes - see previous bug above) or a macro (if
> USE_ACTIONS=No/Not specified?). That doesn''t work for macros.
>
> /etc/shorewall/macro.C_MACRO
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> LOG
> PARAM
>
> /etc/shorewall/policy
> ~~~~~~~~~~~~~~~~~~~~~
> $FW net DROP:C_MACRO info
>
> gets me "ERROR: Unknown Default Action (C_MACRO)" message. Why?
Again, USE_ACTIONS=No is no longer supported. I''ll correct the manpage.
>
>
> Finally, two feature requests:
>
> 1. Add X:UN|X:U (or similar) option in "secmarks" to support the
> UNTRACKED state ("X" is the base chain - INPUT, OUTPUT, FORWARD).
Example:
>
> secmarks
> ~~~~~~~~
> system_u:object_r:whatever_t:s0 I:UN
>
> to be the equivalent of:
>
> iptables -t mangle -A INPUT -m conntrack --ctstate NEW,UNTRACKED -j
> SECMARK --selctx system_u:object_r:whatever_t:s0
Patch attached. The new suffixes are:

	:U (UNTRACKED)
	:NU (NEW,UNTRACKED)
	:NIU (NEW,INVALID,UNTRACKED)
>
> 2. Add the ability to include rules in the raw table.
>
> Use case: When I am allocated a (dynamic) IP address from my (external)
> DHCP provider, I am usually a part of a (rather large) subnet containing
> many other users. A while back I started getting a lot of attacks based
> on carefully-crafted packets originating from that (large) subnet and
> destined to my machine.
>
> Since by definition there is a pre-defined route added to encompass the
> entire subnet when my device is allocated an IP address, this allows a
> lot of machines on the subnet an easy access to my own - "by
default",
> so to speak. To counter that, I black-holed the route to all IP
> addresses from that subnet and left out only my own
> (dynamically-allocated) IP address and the gateway address.
>
> That solved the problem, but brought another one - logging martians as,
> naturally, when a crafted packet arrives on my interface from one of the
> black-holed IP addresses, or worse, originates from my own interface and
> is destined to one of those IP addresses, it gets marked as a martian as
> there is no route to it and I get it logged.
>
> I finally solved that problem by including a (manual) set of rules in my
> raw table which dumps (understand DROPs) these addresses even before a
> routing decision is made. Since the raw table has, to my knowledge, the
> highest priority, I could include rules there which supersede routing or
> connection tracking decisions. In other words, I could have a set of
> rules processed before any connection tracking or routing decision is
> made, which is very handy!
>
> Currently I do this in "init" and "started", but it
would be nice if I
> do not hack it like that and am able to add such rules more
"naturally".
>
> I am aware that I could easily block the entire subnet, bar my own and
> the gateway IP addresses via "regular" rules in
"rules", but I wish to
> include these *before* any routing or connection-tracking decisions are
> made. I am also aware that there is possible performance penalty from
> this as these rules are processed for *every* packet, but I am willing
> to take that hit.
Patch attached. Adds a DROP action to the format-2 conntrack file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/18/12 11:33 AM, Tom Eastep wrote:
>> 4. NFLOG ACTION statement not recognised by shorewall.
>>
>> According to "man shorewall-rules", I can include NFLOG in
the ACTION
>> column (in a similar fashion as I specify "ACCEPT",
"DROP", "LOG" etc).
>> This ain''t so:
>>
>> /etc/shorewall/rules
>> ~~~~~~~~~~~~~~~~~~~~
>> NFLOG(1,0,1)
>>
>> gives me "ERROR: Unknown ACTION (NFLOG(1,0,1))". I suffer a
similar
>> faith if I wish to include the same statement as part of action or a
>> macro. Why?
> 
> That''s an error in the manpage -- to use NFLOG, specify
"LOG:NFLOG(1,0,1)".
I decided to change the code rather than the manpage -- patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/18/12 11:33 AM, Tom Eastep wrote:
>>
>> 3. Upon startup, I get the following group of messages:
>>
>> shorewall[889]:    Priority of the eth0 tcp-ack filter is 266
>> shorewall[889]:    Priority of the <all other net devices defined
and
>> used in tcclasses> tcp-ack filter is 266
>>
>> in tcclasses I have the following, which, to my understanding, is
>> correct (e:10 refers to eth0, class number 10):
>> e:10 - 10*full/100 full 1 tcp-ack
>>
>> I have similar arrangement for all other interfaces. So, why is the
>> allocated priority 266 instead of what I specified (1)?
> 
> If you want the tcp-ack filter to have priority 1, specify it as
>  tcp-ack(1)
>
Correction -- make that tcp-ack:1

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> I''m unable to reproduce that problem.
>   
Test case? If so, what would you like me to include (what is the likely 
cause of this)?
>> 2. "-r" and "-T" shorewall update options are not
documented.
>>     
>
> The last sentence in the ''update'' section of the manpage
is:
>
>    For a description of the other options, see the check command above.
>   
Noted.
> If you want the tcp-ack filter to have priority 1, specify it as
>  tcp-ack(1)
>   
I thought that is what the "priority" column is for, isn''t
that the
case? From the shorewall-tcclasses man page:

PRIORITY - priority
[...]
For both HTB and HFSC, the priority is used to calculate the priority of 
following Shorewall-generated classification filters that refer to the 
class:
    * Packet MARK
    * tcp-ack and the tos options (see below)

Setting "tcp-ack:1" does indeed suppress that message, though I am 
intrigued as to why the priority specified in the "priority" column is
disregarded?
> That''s an error in the manpage -- to use NFLOG, specify
"LOG:NFLOG(1,0,1)".
>   
Taking into account your latest response on this - I''ll use 
"NFLOG(1,0,1)" and see if that does the job.
> Use "LOG:<level>!" (note the ''!''). e.g.,
''LOG:NFLOG(2,0,1)!''
>   
Noted, though I have some reservations about using actions - see below.
> Again, USE_ACTIONS=No is no longer supported. I''ll correct the
manpage.
>   
OK, the way I understand it, I could only use actions in my policy file, 
right? If so, I am going to have another set of problems:

Currently, by its own definition, shorewall macros can "assign" log 
levels "automatically" to all operators in that macro. For example, if
I
have the following:

macro.C_MACRO
~~~~~~~~~~~~~
LOG
NFLOG(1,0,1)
NFLOG(2,0,1)
DROP

and then call it with "C_MACRO:info" in, say, my "rules"
file, this will
pass this log level (info) "automatically" to LOG (the first operator
of
C_MACRO) as well as the DROP statement (and create an additional - 
standard LOG jump) before the packet is dropped.

If I use action, how can I achieve this? This is particularly evident in 
the policy file: When I use "$FW net DROP:C_ACTION info" I would
expect
the "info" log level to be, somehow, passed to C_ACTION. That
doesn''t
happen though - all I get is a jump to the C_ACTION chain and then I 
have an additional LOG in fw2net chain itself - completely detached from 
C_ACTION.

There is additional benefit of using macros as far as I can see: when I 
use macro, the "code" of that macro is inserted "inline".
That has the
added benefit of creating the appropriate "labels" and comments for
the
chain in which this macro originated. In other words, when I use

rules
~~~~
C_MACRO:info $FW net

This will create 5 inline statements, like so:

-A fw2net -j LOG --log-level 6 --log-prefix "Shorewall:fw2net:LOG:" -m
comment --comment "C_MACRO"
-A fw2net -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1 
--nflog-prefix "Shorewall:fw2net:LOG:" -m comment --comment
"C_MACRO"
-A fw2net -j NFLOG --nflog-group 2 --nflog-range 0 --nflog-threshold 1 
--nflog-prefix "Shorewall:fw2net:LOG:" -m comment --comment
"C_MACRO"
-A fw2net -j LOG --log-level 6 --log-prefix "Shorewall:fw2net:DROP:"
-m
comment --comment "C_MACRO"
-A fw2net -j DROP -m comment --comment "C_MACRO"

Note the "nflog-prefix", "log-prefix" and
"comment" - they are all
"tailored" specifically for the chain in which I use that macro - very
handy since if I am going to use one macro across the board, the chain 
from which this call originated could be easily identified 
("Shorewall:fw2net:LOG:" and "Shorewall:fw2net:DROP:"). If I
use action
instead, that won''t be possible since I am going to get this instead:

-A C_ACTION -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1 
--nflog-prefix "Shorewall:C_ACTION:LOG:"
-A C_ACTION -j NFLOG --nflog-group 2 --nflog-range 0 --nflog-threshold 1 
--nflog-prefix "Shorewall:C_ACTION:LOG:"

Notice the nflog-prefix (Shorewall:C_ACTION:LOG:) - there is no way I 
could identify which chain the packet originated from and there is no 
comment there either.

This might not sound like a big deal, but when I wish to use a single 
macro in various policy statements for different directions ($FW->net, 
net->$FW etc), when I get a packet logged, I won''t know which chain
this
packet originated from, or, at the very least, I have to scratch my head 
to find out. If I were able to deploy macros in the "policy" instead, 
this problem goes away as the macro will be included "inline" with the
appropriate labels and comments to boot.

> Patch attached. The new suffixes are:
>
> 	:U (UNTRACKED)
> 	:NU (NEW,UNTRACKED)
> 	:NIU (NEW,INVALID,UNTRACKED)
>   
Noted, I''ll test this later.
> Patch attached. Adds a DROP action to the format-2 conntrack file.
>   
Noted, wasn''t aware of the "conntrack" file, but
I''ll test this as well
- I take it the support for ipsets is there, right?


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/19/12 7:47 AM, Mr Dash Four wrote:
>
>> I''m unable to reproduce that problem.
>>
> Test case? If so, what would you like me to include (what is the likely
> cause of this)?
>
The problem is associated with LOAD_HELPERS_ONLY=No; patch attached.
>> If you want the tcp-ack filter to have priority 1, specify it as
>>  tcp-ack(1)
>>
> I thought that is what the "priority" column is for,
isn''t that the
> case? From the shorewall-tcclasses man page:
>
> PRIORITY - priority
> [...]
> For both HTB and HFSC, the priority is used to calculate the priority of
> following Shorewall-generated classification filters that refer to the
> class:
>     * Packet MARK
>     * tcp-ack and the tos options (see below)
>
> Setting "tcp-ack:1" does indeed suppress that message, though I
am
> intrigued as to why the priority specified in the "priority"
column is
> disregarded?
This has been a point of confusion before. The priority displayed in
these messages is the *filter* priority. For compatibility with earlier
releases, they default to what you are seeing; this is clearly
documented in the manpages. Placing the tcp-ack filter at priority 1
means that ACK packets from low-priority bulk traffic will still be
treated as high-priority. If that''s what you want, then you need to
explicitly specify it.
> OK, the way I understand it, I could only use actions in my policy file,
> right?
Correct.

 > If so, I am going to have another set of problems:
>
> Currently, by its own definition, shorewall macros can "assign"
log
> levels "automatically" to all operators in that macro. For
example, if I
> have the following:
>
> macro.C_MACRO
> ~~~~~~~~~~~~~
> LOG
> NFLOG(1,0,1)
> NFLOG(2,0,1)
> DROP
>
> and then call it with "C_MACRO:info" in, say, my
"rules" file, this will
> pass this log level (info) "automatically" to LOG (the first
operator of
> C_MACRO) as well as the DROP statement (and create an additional -
> standard LOG jump) before the packet is dropped.
>
> If I use action, how can I achieve this? This is particularly evident in
> the policy file: When I use "$FW net DROP:C_ACTION info" I would
expect
> the "info" log level to be, somehow, passed to C_ACTION. That
doesn''t
> happen though - all I get is a jump to the C_ACTION chain and then I
> have an additional LOG in fw2net chain itself - completely detached from
> C_ACTION.
>
> There is additional benefit of using macros as far as I can see: when I
> use macro, the "code" of that macro is inserted
"inline". That has the
> added benefit of creating the appropriate "labels" and comments
for the
> chain in which this macro originated. In other words, when I use
>
> rules
> ~~~~
> C_MACRO:info $FW net
>
> This will create 5 inline statements, like so:
>
> -A fw2net -j LOG --log-level 6 --log-prefix
"Shorewall:fw2net:LOG:" -m
> comment --comment "C_MACRO"
> -A fw2net -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1
> --nflog-prefix "Shorewall:fw2net:LOG:" -m comment --comment
"C_MACRO"
> -A fw2net -j NFLOG --nflog-group 2 --nflog-range 0 --nflog-threshold 1
> --nflog-prefix "Shorewall:fw2net:LOG:" -m comment --comment
"C_MACRO"
> -A fw2net -j LOG --log-level 6 --log-prefix
"Shorewall:fw2net:DROP:" -m
> comment --comment "C_MACRO"
> -A fw2net -j DROP -m comment --comment "C_MACRO"
>
> Note the "nflog-prefix", "log-prefix" and
"comment" - they are all
> "tailored" specifically for the chain in which I use that macro -
very
> handy since if I am going to use one macro across the board, the chain
> from which this call originated could be easily identified
> ("Shorewall:fw2net:LOG:" and "Shorewall:fw2net:DROP:").
If I use action
> instead, that won''t be possible since I am going to get this
instead:
>
> -A C_ACTION -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1
> --nflog-prefix "Shorewall:C_ACTION:LOG:"
> -A C_ACTION -j NFLOG --nflog-group 2 --nflog-range 0 --nflog-threshold 1
> --nflog-prefix "Shorewall:C_ACTION:LOG:"
>
> Notice the nflog-prefix (Shorewall:C_ACTION:LOG:) - there is no way I
> could identify which chain the packet originated from and there is no
> comment there either.
>
> This might not sound like a big deal, but when I wish to use a single
> macro in various policy statements for different directions ($FW->net,
> net->$FW etc), when I get a packet logged, I won''t know which
chain this
> packet originated from, or, at the very least, I have to scratch my head
> to find out. If I were able to deploy macros in the "policy"
instead,
> this problem goes away as the macro will be included "inline"
with the
> appropriate labels and comments to boot.
I''ll take a look at this. But in the mean time, you can achieve the
same
goal by simply placing your logging rules at the end of the rules file 
with SOURCE and DEST set to ''all''.
>
>
>> Patch attached. The new suffixes are:
>>
>> 	:U (UNTRACKED)
>> 	:NU (NEW,UNTRACKED)
>> 	:NIU (NEW,INVALID,UNTRACKED)
>>
> Noted, I''ll test this later.
>
>> Patch attached. Adds a DROP action to the format-2 conntrack file.
>>
> Noted, wasn''t aware of the "conntrack" file, but
I''ll test this as well
> - I take it the support for ipsets is there, right?
Yes.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/19/2012 11:41 AM, Tom Eastep wrote:
> On 11/19/12 7:47 AM, Mr Dash Four wrote:
>> This might not sound like a big deal, but when I wish to use a single
>> macro in various policy statements for different directions
($FW->net,
>> net->$FW etc), when I get a packet logged, I won''t know
which chain this
>> packet originated from, or, at the very least, I have to scratch my
head
>> to find out. If I were able to deploy macros in the "policy"
instead,
>> this problem goes away as the macro will be included "inline"
with the
>> appropriate labels and comments to boot.
>
> I''ll take a look at this. But in the mean time, you can achieve
the same
> goal by simply placing your logging rules at the end of the rules file
> with SOURCE and DEST set to ''all''.
Attached is a lightly-tested patch that allows a macro to be used as a 
default action. Please try it and provide feedback.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/19/12 4:25 PM, Tom Eastep wrote:
> On 11/19/2012 11:41 AM, Tom Eastep wrote:
>> On 11/19/12 7:47 AM, Mr Dash Four wrote:
> 
>>> This might not sound like a big deal, but when I wish to use a
single
>>> macro in various policy statements for different directions
($FW->net,
>>> net->$FW etc), when I get a packet logged, I won''t know
which chain this
>>> packet originated from, or, at the very least, I have to scratch my
head
>>> to find out. If I were able to deploy macros in the
"policy" instead,
>>> this problem goes away as the macro will be included
"inline" with the
>>> appropriate labels and comments to boot.
>>
>> I''ll take a look at this. But in the mean time, you can
achieve the same
>> goal by simply placing your logging rules at the end of the rules file
>> with SOURCE and DEST set to ''all''.
> 
> Attached is a lightly-tested patch that allows a macro to be used as a
> default action. Please try it and provide feedback.
This one is needed also.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

>> I''ll take a look at this. But in the mean time, you can
achieve the same
>> goal by simply placing your logging rules at the end of the rules file
>> with SOURCE and DEST set to ''all''.
>
> Attached is a lightly-tested patch that allows a macro to be used as a 
> default action. Please try it and provide feedback.
Noted. I take it apart from using that macro in my policy file I don''t 
have to do anything in addition to that, like specifying USE_ACTIONS and 
so on, right? I''ll have the chance to test all of your patches tonight 
and will let you know what''s happening.


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/20/2012 07:53 AM, Mr Dash Four wrote:
>
>>> I''ll take a look at this. But in the mean time, you can
achieve the same
>>> goal by simply placing your logging rules at the end of the rules
file
>>> with SOURCE and DEST set to ''all''.
>>
>> Attached is a lightly-tested patch that allows a macro to be used as a
>> default action. Please try it and provide feedback.
> Noted. I take it apart from using that macro in my policy file I
don''t
> have to do anything in addition to that, like specifying USE_ACTIONS and
> so on, right? I''ll have the chance to test all of your patches
tonight
> and will let you know what''s happening.
You simply specify the macro name in the POLICY file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/20/2012 08:15 AM, Tom Eastep wrote:
> On 11/20/2012 07:53 AM, Mr Dash Four wrote:
>>
>>>> I''ll take a look at this. But in the mean time, you
can achieve the same
>>>> goal by simply placing your logging rules at the end of the
rules file
>>>> with SOURCE and DEST set to ''all''.
>>>
>>> Attached is a lightly-tested patch that allows a macro to be used
as a
>>> default action. Please try it and provide feedback.
>> Noted. I take it apart from using that macro in my policy file I
don''t
>> have to do anything in addition to that, like specifying USE_ACTIONS
and
>> so on, right? I''ll have the chance to test all of your patches
tonight
>> and will let you know what''s happening.
>
> You simply specify the macro name in the POLICY file.
>
And thanks in advance for helping to test this,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

>> That''s an error in the manpage -- to use NFLOG, specify
"LOG:NFLOG(1,0,1)".
> 
> I decided to change the code rather than the manpage -- patch attached.
It doesn''t seem to work: I am getting "ERROR: Invalid NFLOG
action(NFLOG(1,0,1):none)"

The statement in my C_ACTION is just "NFLOG(1,0,1)" (as oppose to
"LOG:NFLOG(1,0,1)"). Am I missing something?

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

>> Test case? If so, what would you like me to include (what is the likely
>> cause of this)?
>>
> 
> The problem is associated with LOAD_HELPERS_ONLY=No; patch attached.
Does the trick - no more leftovers in my raw table.


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> Patch attached. The new suffixes are:
> 
> 	:U (UNTRACKED)
> 	:NU (NEW,UNTRACKED)
> 	:NIU (NEW,INVALID,UNTRACKED)
The patch does its job to perfection.

> Patch attached. Adds a DROP action to the format-2 conntrack file.
That, in general, does not work:

I am not sure what I am supposed to put in the SOURCE/DESTINATION columns as a
"zone" when in reality I don''t care which "zone"
this is in (and I don''t think "all" is appropriate). For
example, if I want to emulate "-t raw -I PREROUTING 1 -m set --match-set
baddies-set src -j DROP" as well as "-t raw -I OUTPUT 1 -m set
--match-set baddies-set dst -j DROP" I tried the following:

1.
DROP +baddies-set
DROP - +baddies-set

Doesn''t work - it is asking me for a zone to put in...

2.
DROP $FW:+baddies-set
DROP - $FW:+baddies-set

Moans about unknown zone ("-")...

3.
DROP $FW:+baddies-set
DROP all $FW:+baddies-set

I am getting "ERROR: Unknown Interface (fw)" error...

Further on this - a few suggestions to extend this file''s
functionality:

1. I am not sure whether I could use custom action in this file, but it would be
very handy if I could. Why? Because if I wish to use such action for creating
packet logs to multiple (understand 3) destinations for example, then instead of
having 3 separate LOG/NFLOG statements *and* their associate conditionals, I
could just have one conditional + custom action, which should, in theory, be
translated to a single jump to the corresponding custom-action chain where the
multiple packet logs take place.

2. If possible, could you include a SWITCH column (similar to what you already
have in "rules") so that this particular rule is switched on/off
if/when desired.

Finally, a side issue I''ve been having, which up until now was a bit of
a mystery to me - until I had a proper look at my (default) conntrack file, that
is: every time shorewall starts, I get a group of rather annoying syslog
messages like so:

xt_CT: No such helper "sane"
xt_CT: No such helper "sane-0"
xt_CT: No such helper "tftp"
xt_CT: No such helper "tftp-0"
xt_CT: No such helper "pptp"
xt_CT: No such helper "sip"
xt_CT: No such helper "sip-0"
xt_CT: No such helper "snmp"
xt_CT: No such helper "netbios-ns"
xt_CT: No such helper "ftp"
xt_CT: No such helper "ftp-0"
xt_CT: No such helper "irc"
xt_CT: No such helper "irc-0"
xt_CT: No such helper "amanda"

I knew these may have resulted from the fact that I have intentionally disabled
(and forcibly removed!) all conntrack kernel helper modules. Until I had a look
at the conntrack file, I thought that they were caused by shorewall trying to
load the ct kernel helper modules, but after seeing all those conditionals in
"conntrack" I am not so sure. Is there any way I could get rid of
these messages? Am I doing something wrong?


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> You simply specify the macro name in the POLICY file.
Doesn''t seem to work.

macro.C_MACRO
~~~~~~~~~~~~~
LOG
LOG:NFLOG(1,0,1)
LOG:NFLOG(2,0,1)


policy
~~~~~~
$FW net DROP:C_MACRO info

I am getting "ERROR: LOG requires a log level"

policy
~~~~~~
$FW net DROP:C_MACRO:info info

This time I am getting "ERROR: Invalid default action (C_MACRO:info)"

policy
~~~~~~
$FW net DROP:C_MACRO(info) info

This time the message is "ERROR: Default Action Macros may not have
parameters"


Finally, one question and a suggestion: suppose I would like to conditionally
dump packets on both side of a connection initiated from outside. For the
incoming part I know I should put the appropriate NFLOG statement in the NEW
section. The tricky bit (at least for me anyway) is what to do on the outgoing
side, particularly when the connection is already established (I *do* wish to
dump every packet regardless of the connection tracking state, including the
UNTRACKED ones).

Should I then place the appropriate statement in the ALL section of the rules
file then? Would that execute prior to the connection tracking state matches
(NEW, RELATED, ESTABLISHED)? Do these type of statements (in the ALL section) go
after the blackists and the various tcp flag/smurfs and all other checks
shorewall has put in place?

The suggestion: from what I can gather, currently there isn''t a
stand-alone AUDIT statement in the way there are LOG and NFLOG ones. Would it be
possible to include one? The type specified in that AUDIT statement (accept,
drop and reject) is largely irrelevant as far as iptables go (they do have
significance in the audit facility though). The reason I ask this is because if
I had this, I could add the AUDIT log target to my custom macro/action when
auditing of packets (*without* explicitly dropping/rejecting/accepting them) is
needed, along with LOG/NFLOG targets.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> And thanks in advance for helping to test this,
Pleasure. I''ll be able to do more testing again when you iron the rough
edges - just let me know.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/20/2012 08:18 PM, Mr Dash Four wrote:
>>> That''s an error in the manpage -- to use NFLOG, specify
>>> "LOG:NFLOG(1,0,1)".
>>
>> I decided to change the code rather than the manpage -- patch
>> attached.
> It doesn''t seem to work: I am getting "ERROR: Invalid NFLOG
> action(NFLOG(1,0,1):none)"
>
> The statement in my C_ACTION is just "NFLOG(1,0,1)" (as oppose to
> "LOG:NFLOG(1,0,1)"). Am I missing something?
>
>> You simply specify the macro name in the POLICY file.
> Doesn''t seem to work.
>
> macro.C_MACRO ~~~~~~~~~~~~~ LOG LOG:NFLOG(1,0,1) LOG:NFLOG(2,0,1)
>
>
> policy ~~~~~~ $FW net DROP:C_MACRO info
>
> I am getting "ERROR: LOG requires a log level"
>
> policy ~~~~~~ $FW net DROP:C_MACRO:info info
>
> This time I am getting "ERROR: Invalid default action
> (C_MACRO:info)"
>
>
> policy ~~~~~~ $FW net DROP:C_MACRO(info) info
>
> This time the message is "ERROR: Default Action Macros may not have
> parameters"
These will have to wait for Beta 2 -- at that point NFLOG() should work
as you expect and you can specify ''DROP:C_MACRO(info)'' if you
want to
make simple ''LOG'' rules log at the ''info''
level.
>
> Finally, one question and a suggestion: suppose I would like to
> conditionally dump packets on both side of a connection initiated
> from outside. For the incoming part I know I should put the
> appropriate NFLOG statement in the NEW section. The tricky bit (at
> least for me anyway) is what to do on the outgoing side,
> particularly when the connection is already established (I *do* wish
> to dump every packet regardless of the connection tracking state,
> including the UNTRACKED ones).
>
> Should I then place the appropriate statement in the ALL section of
> the rules file then? Would that execute prior to the connection
> tracking state matches (NEW, RELATED, ESTABLISHED)?
Yes
> Do these type of statements (in the ALL section) go after the
> blackists and the various tcp flag/smurfs and all other checks
> shorewall has put in place?
Rules in the ALL section come after the blacklist and the
interface-option checks.

When I want this type of logging, though, I use the ''iptrace''
shorewall
command. This not only logs each packet but traces it through the 
Netfilter chains.
>
> The suggestion: from what I can gather, currently there isn''t a
> stand-alone AUDIT statement in the way there are LOG and NFLOG ones.
> Would it be possible to include one? The type specified in that
> AUDIT statement (accept, drop and reject) is largely irrelevant as
> far as iptables go (they do have significance in the audit facility
> though). The reason I ask this is because if I had this, I could add
> the AUDIT log target to my custom macro/action when auditing of
> packets (*without* explicitly dropping/rejecting/accepting them) is
> needed, along with LOG/NFLOG targets.
Copy the two attached files into ${SHAREDIR}/shorewall. The new target
is ''Audit'' and accepts one optional parameter (the audit
type). The
default audit type is ''drop''. The action does no logging. Note
that
iptables requires the ''type'' to be specified.

[root@sami ~]# iptables -A foo -j AUDIT
iptables v1.4.14: AUDIT: option "--type" must be specified

Try `iptables -h'' or ''iptables --help'' for more
information.
[root@sami ~]#

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/20/2012 08:18 PM, Mr Dash Four wrote:
>> Patch attached. The new suffixes are:
>>
>> 	:U (UNTRACKED)
>> 	:NU (NEW,UNTRACKED)
>> 	:NIU (NEW,INVALID,UNTRACKED)
> The patch does its job to perfection.
>
Good
>
>> Patch attached. Adds a DROP action to the format-2 conntrack file.
> That, in general, does not work:
>
> I am not sure what I am supposed to put in the SOURCE/DESTINATION
columns as a "zone" when in reality I don''t care which
"zone" this is in
(and I don''t think "all" is appropriate). For example, if I
want to
emulate "-t raw -I PREROUTING 1 -m set --match-set baddies-set src -j
DROP" as well as "-t raw -I OUTPUT 1 -m set --match-set baddies-set
dst
-j DROP" I tried the following:
>
> 1.
> DROP +baddies-set
> DROP - +baddies-set
>
> Doesn''t work - it is asking me for a zone to put in...
>
> 2.
> DROP $FW:+baddies-set
> DROP - $FW:+baddies-set
>
> Moans about unknown zone ("-")...
A careful reading of the manpage reveals that a zone is required in the 
SOURCE column (and ''all'' is appropriate for your use) while a
zone is
disallowed in the DESTINATION column (remember that the packet hasn''t 
been routed yet so the destination zone is as yet unknown).

Note: When a destination interface is specified, the generated script 
has to use the routing table to produce a list of destination networks, 
then generates one rule for each network.
>
> 3.
> DROP $FW:+baddies-set
> DROP all $FW:+baddies-set
>
> I am getting "ERROR: Unknown Interface (fw)" error...
Again, no zone in the DESTINATION column.
>
> Further on this - a few suggestions to extend this file''s
functionality:
>
> 1. I am not sure whether I could use custom action in this file, but
it would be very handy if I could. Why? Because if I wish to use such
action for creating packet logs to multiple (understand 3) destinations
for example, then instead of having 3 separate LOG/NFLOG statements
*and* their associate conditionals, I could just have one conditional +
custom action, which should, in theory, be translated to a single jump
to the corresponding custom-action chain where the multiple packet logs
take place.

The implementation of actions is heavily integrated with processing of 
the rules file and is not available in other files. That''s one of the 
items on my wish list but it will require a large effort.
>
> 2. If possible, could you include a SWITCH column (similar to what
> you  already have in "rules") so that this particular rule is
switched on/off
if/when desired.
>
> Finally, a side issue I''ve been having, which up until now was a
bit
of a mystery to me - until I had a proper look at my (default) conntrack
file, that is: every time shorewall starts, I get a group of rather
annoying syslog messages like so:
> xt_CT: No such helper "sane"
> xt_CT: No such helper "sane-0"
> xt_CT: No such helper "tftp"
> xt_CT: No such helper "tftp-0"
> xt_CT: No such helper "pptp"
> xt_CT: No such helper "sip"
> xt_CT: No such helper "sip-0"
> xt_CT: No such helper "snmp"
> xt_CT: No such helper "netbios-ns"
> xt_CT: No such helper "ftp"
> xt_CT: No such helper "ftp-0"
> xt_CT: No such helper "irc"
> xt_CT: No such helper "irc-0"
> xt_CT: No such helper "amanda"
>
> I knew these may have resulted from the fact that I have
> intentionally
disabled (and forcibly removed!) all conntrack kernel helper modules.
Until I had a look at the conntrack file, I thought that they were
caused by shorewall trying to load the ct kernel helper modules, but
after seeing all those conditionals in "conntrack" I am not so sure.
Is
there any way I could get rid of these messages? Am I doing something wrong?

These messages are a result of Shorewall probing the system to determine 
what helpers are available.

There are two ways to suppress them:

- set LOAD_HELPERS_ONLY=Yes in shorewall.conf.
- generate a capabilities file (shorewall show -f capabilities >
   ${CONFDIR}/shorewall/capabilities), then edit the file to turn off
   HELPER_MATCH (set the variable to the empty value).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/21/2012 11:09 AM, Tom Eastep wrote:
>> I am not sure what I am supposed to put in the SOURCE/DESTINATION
> columns as a "zone" when in reality I don''t care which
"zone" this is in
> (and I don''t think "all" is appropriate). For example,
if I want to
> emulate "-t raw -I PREROUTING 1 -m set --match-set baddies-set src -j
> DROP" as well as "-t raw -I OUTPUT 1 -m set --match-set
baddies-set dst
> -j DROP" I tried the following:
I just recalled that ''all'' can''t be qualified with an
ipset name (or
anything else for that matter).

Patch attached.

With this patch:

- ''all'' places the rule in PREROUTING and in OUTPUT
- ''all-'' places the rule in PREROUTING
- ''$FW'' places the rule in OUTPUT
- All of the above can be qualified with ipsets, addresses, etc.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/20/2012 08:18 PM, Mr Dash Four wrote:
>
> 2. If possible, could you include a SWITCH column (similar to what
> you already have in "rules") so that this particular rule is
switched
> on/off if/when desired.
>
Will be in Beta 2.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> These will have to wait for Beta 2 -- at that point NFLOG() should work
> as you expect and you can specify ''DROP:C_MACRO(info)'' if
you want to
> make simple ''LOG'' rules log at the
''info'' level.
Noted.
> Rules in the ALL section come after the blacklist and the
> interface-option checks.
What I thought initially.
> When I want this type of logging, though, I use the
''iptrace'' shorewall
> command. This not only logs each packet but traces it through the
> Netfilter chains.
My situation is different - I must log these packets to 3 different destinations
for different reasons - I''d use the "normal" log facility
simply to avoid some nasty NFLOG bugs amd as a sort of emergency packup when
everything else is screwed, will use NFLOG (class 1) for my main logging tool as
this goes across to a different site where all other logs are stored too, will
use a 3rd NFLOG statement to capture packet payloads if/when needed and there
will be a 4th, optional, log destination using the AUDIT target to be in sync
if/when I get SELInux-related alerts so that I don''t spend my time
looking through various sources to find out what I am after.
> Copy the two attached files into ${SHAREDIR}/shorewall. The new target
> is ''Audit'' and accepts one optional parameter (the audit
type).
It works. You may change the "ERROR: Invalid AUDIT type (XXXXX)"
message to indicate what type of audit is acceptable (accept|reject|drop), but
that''s a minor thing. Also, personally, I''d prefer this to be
"AUDIT" instead of "Audit" for consistency with LOG/NFLOG,
but these are semantics really.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> A careful reading of the manpage reveals that a zone is required in the 
> SOURCE column (and ''all'' is appropriate for your use)
while a zone is
> disallowed in the DESTINATION column (remember that the packet
hasn''t
> been routed yet so the destination zone is as yet unknown).
> 
> Note: When a destination interface is specified, the generated script 
> has to use the routing table to produce a list of destination networks, 
> then generates one rule for each network.
All noted - I must have been half-asleep when testing this last night.
> The implementation of actions is heavily integrated with processing of 
> the rules file and is not available in other files. That''s one of
the
> items on my wish list but it will require a large effort.
It would be nice to have it so that I could extend my logging to this tables
with little effort, but if not, I''ll revert to my old friend -
"started".
> These messages are a result of Shorewall probing the system to determine 
> what helpers are available.
> 
> There are two ways to suppress them:
> 
> - set LOAD_HELPERS_ONLY=Yes in shorewall.conf.
If I do that, according to the man pages, that won''t load my other
non-ct modules ("...restricts the set of modules loaded by shorewall to
those listed in /var/lib/shorewall/helpers") which isn''t what I
want as I have various other modules (not ct-related) which need to me loaded
and these are listed in the modules.* files.
> - generate a capabilities file (shorewall show -f capabilities >
>    ${CONFDIR}/shorewall/capabilities), then edit the file to turn off
>    HELPER_MATCH (set the variable to the empty value).
I don''t want to do that either because when I upgrade shorewall, the
chances of new capabilities existing in that version which won''t be
included in the existing "capabilities" file are pretty high and I am
not about to run the update or regenerate all my capabilities file with every
shorewall update.

Besides, if that turns out to be the case, then I am going to have another
shorewall message telling me that my capabilities file is out of date -
lose-lose scenario!


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> I just recalled that ''all'' can''t be qualified
with an ipset name (or
> anything else for that matter).
> 
> Patch attached.
> 
> With this patch:
> 
> - ''all'' places the rule in PREROUTING and in OUTPUT
> - ''all-'' places the rule in PREROUTING
> - ''$FW'' places the rule in OUTPUT
> - All of the above can be qualified with ipsets, addresses, etc.
The patch works, but there is one *massive* gotcha: 

if ipset is used (I assume that would be valid for any other IP address/subnet,
ports, protocol values specified there as well) then the rules generated do not
flip the src/dst designators around. For example:

conntrack
~~~~~~~~~
DROP all:+baddies-set

will generate 2 set of iptables statements all showing "baddies-set
src" and not, as what seems the more logical thing, create
"baddies-set src" for PREROUTING and "baddies-set dst" for
OUTPUT, which may not be the initial intention. I seem to remember you had a
similar arrangement with the dhcp option in "interfaces" as well as
"routestopped".

If I were you, I would either change the syntax and make it clearer (perhaps
specifying each chain with "O" for OUTPUT, "P" for
PREROUTING - similar to what you now have in "secmarks") or keep the
existing syntax but place a big, massive warning on the man page, because
mistakes such as this would be very easy to make - I know, because that is the
first thing I did when tested your patch.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

>> 2. If possible, could you include a SWITCH column (similar to what
>> you already have in "rules") so that this particular rule is
switched
>> on/off if/when desired.
>>
> 
> Will be in Beta 2.
OK, will have a look then.


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/21/12 6:19 PM, "Mr Dash Four"
<mr.dash.four@googlemail.com> wrote:
>
>> I just recalled that ''all'' can''t be
qualified with an ipset name (or
>> anything else for that matter).
>> 
>> Patch attached.
>> 
>> With this patch:
>> 
>> - ''all'' places the rule in PREROUTING and in OUTPUT
>> - ''all-'' places the rule in PREROUTING
>> - ''$FW'' places the rule in OUTPUT
>> - All of the above can be qualified with ipsets, addresses, etc.
>The patch works, but there is one *massive* gotcha:
>
>if ipset is used (I assume that would be valid for any other IP
>address/subnet, ports, protocol values specified there as well) then the
>rules generated do not flip the src/dst designators around. For example:
>
>conntrack
>~~~~~~~~~
>DROP all:+baddies-set
>
>will generate 2 set of iptables statements all showing "baddies-set
src"
>and not, as what seems the more logical thing, create "baddies-set
src"
>for PREROUTING and "baddies-set dst" for OUTPUT, which may not be
the
>initial intention. I seem to remember you had a similar arrangement with
>the dhcp option in "interfaces" as well as
"routestopped".

You need two entries if you want to drop traffic to/from +baddies-set:

	DROP	all-:+baddies-set	-
	DROP	all			+baddies+set

So I don''t see anything broken here except that I need to add an
example
to the manages.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/21/2012 06:19 PM, Mr Dash Four wrote:
> It works. You may change the "ERROR: Invalid AUDIT type (XXXXX)"
> message to indicate what type of audit is acceptable
> (accept|reject|drop), but that''s a minor thing.
Done.
> Also, personally, I''d prefer this to be "AUDIT" instead
of "Audit"
> for consistency with LOG/NFLOG, but these are semantics really.
You caught me being lazy :) I implemented the feature as an external 
action rather than as a compiler built-in; that required that the name 
be distinct from the Netfilter built-in targets.

The attached patch implements a built-in named AUDIT.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

>> The patch works, but there is one *massive* gotcha:
>>
>> if ipset is used (I assume that would be valid for any other IP
>> address/subnet, ports, protocol values specified there as well) then
the
>> rules generated do not flip the src/dst designators around. For
example:
>>
>> conntrack
>> ~~~~~~~~~
>> DROP all:+baddies-set
>>
>> will generate 2 set of iptables statements all showing
"baddies-set src"
>> and not, as what seems the more logical thing, create "baddies-set
src"
>> for PREROUTING and "baddies-set dst" for OUTPUT, which may
not be the
>> initial intention. I seem to remember you had a similar arrangement
with
>> the dhcp option in "interfaces" as well as
"routestopped".
> 
> 
> You need two entries if you want to drop traffic to/from +baddies-set:
> 
> 	DROP	all-:+baddies-set	-
> 	DROP	all			+baddies+set
> 
> So I don''t see anything broken here except that I need to add an
example
> to the manages.
I didn''t say that it was, because it isn''t. 

What I did point out to you is that the use of "all" in particular is
not as straight-forward as it seems, simply because if source/destination
designators are used (either in ipsets, IP addresses or ports) that would be
applied in *both* directions in the connection *without* flipping them around.
In other words, if I use "all:+baddies-set" (assuming this is
one-dimensional set) that would mean match on a source designation
(''src'' match) in *both* directions of a particular connection
which in 99% of the cases out there wouldn''t be desired.

The use of "all-" is not intuitive, unless you can show me how does
that relate to the PREROUTING chain? Same goes for "$FW" too. That is
why I suggested to you that you either allow the OUTPUT and PREROUTING chains to
be explicitly selected - via "O" or "P", or any other,
appropriate/suitable/more intuitive options ("all-", "$FW"
doesn''t count), in order to avoid this confusion.

Case in point of what I''ve just written - your example above. 

If I find it confusing, and it looks as though the use of "all" and
"all-" is confusing you too (or, at least it isn''t as
straight-forward to you, to the point that you can make an easy mistake and cock
everything up as you did above), than how do you think other,
less-knowledgeable, shall we say, shorewall users will find this?

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> The attached patch implements a built-in named AUDIT.
It does its job.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/22/12 4:06 PM, "Mr Dash Four"
<mr.dash.four@googlemail.com> wrote:
>>> The patch works, but there is one *massive* gotcha:
>>>
>>> if ipset is used (I assume that would be valid for any other IP
>>> address/subnet, ports, protocol values specified there as well)
then
>>>the
>>> rules generated do not flip the src/dst designators around. For
>>>example:
>>>
>>> conntrack
>>> ~~~~~~~~~
>>> DROP all:+baddies-set
>>>
>>> will generate 2 set of iptables statements all showing
"baddies-set
>>>src"
>>> and not, as what seems the more logical thing, create
"baddies-set src"
>>> for PREROUTING and "baddies-set dst" for OUTPUT, which
may not be the
>>> initial intention. I seem to remember you had a similar arrangement
>>>with
>>> the dhcp option in "interfaces" as well as
"routestopped".
>> 
>> 
>> You need two entries if you want to drop traffic to/from +baddies-set:
>> 
>> 	DROP	all-:+baddies-set	-
>> 	DROP	all			+baddies+set
>> 
>> So I don''t see anything broken here except that I need to add
an example
>> to the manages.
>I didn''t say that it was, because it isn''t.
>
>What I did point out to you is that the use of "all" in particular
is not
>as straight-forward as it seems, simply because if source/destination
>designators are used (either in ipsets, IP addresses or ports) that would
>be applied in *both* directions in the connection *without* flipping them
>around. In other words, if I use "all:+baddies-set" (assuming this
is
>one-dimensional set) that would mean match on a source designation
(''src''
>match) in *both* directions of a particular connection which in 99% of
>the cases out there wouldn''t be desired.
>
>The use of "all-" is not intuitive, unless you can show me how
does that
>relate to the PREROUTING chain? Same goes for "$FW" too. That is
why I
>suggested to you that you either allow the OUTPUT and PREROUTING chains
>to be explicitly selected - via "O" or "P", or any
other,
>appropriate/suitable/more intuitive options ("all-",
"$FW" doesn''t
>count), in order to avoid this confusion.
The use of ''all'' and ''all-'' is
well-established in the rules file where
zones must be specified. What I could do is invent a FORMAT 3 which does
not accept zones but rather uses a paradigm similar to what you are
advocating. I''m not going to mix the two, though.
>  
>
>Case in point of what I''ve just written - your example above.
>
>If I find it confusing, and it looks as though the use of "all"
and
>"all-" is confusing you too (or, at least it isn''t as
straight-forward to
>you, to the point that you can make an easy mistake and cock everything
>up as you did above), than how do you think other, less-knowledgeable,
>shall we say, shorewall users will find this
The above rules (correcting the obvious typo in the second line) generates
these Netfilter rules:

Shorewall 4.5.10-Beta2 RAW Table at gateway - Thu Nov 22 17:05:20 PST 2012

Counters reset Thu Nov 22 17:05:16 PST 2012

Chain PREROUTING (policy ACCEPT 56 packets, 6169 bytes)
 pkts bytes target     prot opt in     out     source    destination
  
    0    0     DROP   all   --  *  *   0.0.0.0/0            0.0.0.0/0
      match-set baddies-set src
    0    0     DROP   all   --  *  *   0.0.0.0/0            0.0.0.0/0
      match-set baddies-set dst

Chain OUTPUT (policy ACCEPT 30 packets, 3710 bytes)
 pkts bytes target     prot opt in     out     source    destination
  
    0    0     DROP   all   --  *      *   0.0.0.0/0            0.0.0.0/0
          match-set baddies-set dst
root@gateway:/etc/shorewall#

That is exactly what I intended. Packets entering from outside and
addressed either to or from members of the baddies-set are dropped.
Similarly, traffic originating from the firewall itself and addressed to
members of the set are DROPPED.


-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/22/12 5:19 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
>The use of ''all'' and ''all-'' is
well-established in the rules file where
>zones must be specified. What I could do is invent a FORMAT 3 which does
>not accept zones but rather uses a paradigm similar to what you are
>advocating. I''m not going to mix the two, though.
Patch attached. The ACTION can be suffixed as follows:

:O		Rule is placed in the OUTPUT chain
:OP or PO:	Rule is placed in the PREROUTING and OUTPUT chains.
:P		Rule is placed in the PREROUTING chain.

If the suffix is omitted, PREROUTING is assumed.

No zone is expected nor accepted in the SOURCE column.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

>> policy ~~~~~~ $FW net DROP:C_MACRO(info) info
>>
>> This time the message is "ERROR: Default Action Macros may not
have
>> parameters"
> 
> These will have to wait for Beta 2 -- at that point NFLOG() should work
> as you expect and you can specify ''DROP:C_MACRO(info)'' if
you want to
> make simple ''LOG'' rules log at the
''info'' level.
Was this missed from the Beta2 announcement or deliberately left out and not
implemented in this Beta? Further on this, the man shorewall-policy tells me
that the format of the POLICY column is:


POLICY -
{ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber)]|NONE}[:{default-action-or-macro|None}]
[...]
If the policy is neither CONTINUE nor NONE then the policy may be followed by
":" and one of the following:
            1. The word "None" or "none". This causes any
default action defined in shorewall.conf[2](5) to be omitted for this policy.
            2. The name of a macro. The rules in that macro will be applied
before the policy is enforced. This does not require USE_ACTIONS=Yes.

Should I assume from the above that I can''t use actions? If so,
"default-action-or-macro" should just be "default-macro"
instead. If that is not the case, then the format for including
custom-or-built-in actions needs to be defined. All that provided macros are
allowed.



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 05:00 AM, Mr Dash Four wrote:
>
>>> policy ~~~~~~ $FW net DROP:C_MACRO(info) info
>>>
>>> This time the message is "ERROR: Default Action Macros may not
have
>>> parameters"
>>
>> These will have to wait for Beta 2 -- at that point NFLOG() should work
>> as you expect and you can specify
''DROP:C_MACRO(info)'' if you want to
>> make simple ''LOG'' rules log at the
''info'' level.
> Was this missed from the Beta2 announcement or deliberately left out
> and not implemented in this Beta?
No -- it was implemented; I simply neglected to document it.
> Further on this, the man shorewall-policy tells me that the format of the
POLICY column is:
>
>
> POLICY -
{ACCEPT|DROP|REJECT|CONTINUE|QUEUE|NFQUEUE[(queuenumber)]|NONE}[:{default-action-or-macro|None}]
> [...]
> If the policy is neither CONTINUE nor NONE then the policy may be followed
by ":" and one of the following:
>              1. The word "None" or "none". This causes
any default action defined in shorewall.conf[2](5) to be omitted for this
policy.
>              2. The name of a macro. The rules in that macro will be
applied before the policy is enforced. This does not require USE_ACTIONS=Yes.
The list is incomplete; it should, of course, include an action. It 
should go on to say that both actions and macros may include parameters; 
in the case of a macro, the single parameter specifies the log level to 
be applied to all rules in the macro.

Given that specifying a log level affects all rules in the macro (except 
NFLOG and ULOG), I wouldn''t recommend specifying a log level.
>
> Should I assume from the above that I can''t use actions?
Actions are still allowed.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 09:02 AM, Tom Eastep wrote:
> On 11/25/2012 05:00 AM, Mr Dash Four wrote:
>
> Given that specifying a log level affects all rules in the macro (except
> NFLOG and ULOG), I wouldn''t recommend specifying a log level.
>
It would be trivial to restrict the affect of a log level to just bare 
''LOG'' rules when a macro is used as a default action. If no
one objects,
I''ll go ahead and make that change.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 09:37 AM, Tom Eastep wrote:
> On 11/25/2012 09:02 AM, Tom Eastep wrote:
>> On 11/25/2012 05:00 AM, Mr Dash Four wrote:
>>
>> Given that specifying a log level affects all rules in the macro
(except
>> NFLOG and ULOG), I wouldn''t recommend specifying a log level.
>>
>
> It would be trivial to restrict the affect of a log level to just bare
> ''LOG'' rules when a macro is used as a default action. If
no one objects,
> I''ll go ahead and make that change.
In testing this change, I''m finding that specifying
''macro.Name'' isn''t
working correctly. So for now, macros specified as a default action must 
not have names that conflict with the name of an action.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 10:05 AM, Tom Eastep wrote:
> On 11/25/2012 09:37 AM, Tom Eastep wrote:
>> On 11/25/2012 09:02 AM, Tom Eastep wrote:
>>> On 11/25/2012 05:00 AM, Mr Dash Four wrote:
>>>
>>> Given that specifying a log level affects all rules in the macro
(except
>>> NFLOG and ULOG), I wouldn''t recommend specifying a log
level.
>>>
>>
>> It would be trivial to restrict the affect of a log level to just bare
>> ''LOG'' rules when a macro is used as a default action.
If no one objects,
>> I''ll go ahead and make that change.
>
> In testing this change, I''m finding that specifying
''macro.Name'' isn''t
> working correctly. So for now, macros specified as a default action must
> not have names that conflict with the name of an action.
Attached are two patches.

DEFAULTMACRO1.patch corrects handling of ''macro.Name''.
DEFAULTMACRO2.patch limits the application of log levels to bare LOG rules.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> No -- it was implemented; I simply neglected to document it.
Indeed. It works, though I have another question regarding macros: since these
are included in the chain ''inline'' so to speak, is it possible
for a macro to get the name of the chain in which this particular macro is going
to be ''inlined''?

If that is possible, this would have a good practical use in the SWITCH column
of that macro (which is, indeed, implemented) so that I could, for example, use
"${chain)_macro_switch" in the SWITCH column. Related to that
question, in case what I''ve just suggested is not possible: can I pass
more than 1 parameter to a macro?
> Actions are still allowed.
Yep, that one works too.


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

>>>> Given that specifying a log level affects all rules in the
macro
>>>> (except
>>>> NFLOG and ULOG), I wouldn''t recommend specifying a log
level.
>>>>
>>>
>>> It would be trivial to restrict the affect of a log level to just
bare
>>> ''LOG'' rules when a macro is used as a default
action. If no one objects,
>>> I''ll go ahead and make that change.
>>
>> In testing this change, I''m finding that specifying
''macro.Name'' isn''t
>> working correctly. So for now, macros specified as a default action
must
>> not have names that conflict with the name of an action.
> 
> Attached are two patches.
> 
> DEFAULTMACRO1.patch corrects handling of ''macro.Name''.
> DEFAULTMACRO2.patch limits the application of log levels to bare LOG rules.
I am not sure I understand what you are concerned about and what the problem
is/was: according to your own macros help page
(http://www.shorewall.net/Macros.html - not a dead link this time), if I specify
a log level when executing a macro, this propagates to all statements within
that macro where log level isn''t specified.

I can''t see a problem with that - if I wish to explicitly use a log
level for a particular action in a given macro, which is different from the one
specified when the macro is executed, then all I have to do is add it as part of
that action, i.e.:

C_MACRO
~~~~~~~
LOG
AUDIT(drop)
NFLOG(1,0,1):debug
NFLOG(2,0,1)

So, when I execute "C_MACRO:info", this translates to:

LOG:info
AUDIT(drop):info
NFLOG(1,0,1):debug # unchanged
NFLOG(2,0,1):info

Isn''t that so? 

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 07:08 PM, Mr Dash Four wrote:
>
>>>>> Given that specifying a log level affects all rules in the
macro
>>>>> (except
>>>>> NFLOG and ULOG), I wouldn''t recommend specifying a
log level.
>>>>>
>>>>
>>>> It would be trivial to restrict the affect of a log level to
just bare
>>>> ''LOG'' rules when a macro is used as a default
action. If no one objects,
>>>> I''ll go ahead and make that change.
>>>
>>> In testing this change, I''m finding that specifying
''macro.Name'' isn''t
>>> working correctly. So for now, macros specified as a default action
must
>>> not have names that conflict with the name of an action.
>>
>> Attached are two patches.
>>
>> DEFAULTMACRO1.patch corrects handling of
''macro.Name''.
>> DEFAULTMACRO2.patch limits the application of log levels to bare LOG
rules.
> I am not sure I understand what you are concerned about and what the
problem is/was: according to your own macros help page
(http://www.shorewall.net/Macros.html - not a dead link this time), if I specify
a log level when executing a macro, this propagates to all statements within
that macro where log level isn''t specified.
>
> I can''t see a problem with that - if I wish to explicitly use a
log level for a particular action in a given macro, which is different from the
one specified when the macro is executed, then all I have to do is add it as
part of that action, i.e.:
>
> C_MACRO
> ~~~~~~~
> LOG
> AUDIT(drop)
> NFLOG(1,0,1):debug
That isn''t valid. ''debug'' only applies to the LOG
target, not the NFLOG
target. So the macro handler already excludes NFLOG from the targets 
that inherit a level from the macro invocation.
> NFLOG(2,0,1)
>
> So, when I execute "C_MACRO:info", this translates to:
>
> LOG:info
> AUDIT(drop):info
> NFLOG(1,0,1):debug # unchanged
> NFLOG(2,0,1):info
>
> Isn''t that so?
True. But I''m not sure that is the desired behavior in the context of a
default action. Default actions were created primarily to suppress 
unwanted log noise, not to amplify it.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

>> C_MACRO
>> ~~~~~~~
>> LOG
>> AUDIT(drop)
>> NFLOG(1,0,1):debug
>>     
>
> That isn''t valid. ''debug'' only applies to the
LOG target, not the NFLOG
> target. So the macro handler already excludes NFLOG from the targets 
> that inherit a level from the macro invocation.
>   
Yeah, I agree - bad example, but you get the gist of it.
> True. But I''m not sure that is the desired behavior in the context
of a
> default action. Default actions were created primarily to suppress 
> unwanted log noise, not to amplify it.
>   
Why do you have to make a distinction between "default" action/macros 
and user-defined ones in the context of logging levels? My thinking, as 
indicated in the previous post, is that if user wants to pass a log 
level down to all log statements in that macro - they should be able to, 
let them.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 07:08 PM, Mr Dash Four wrote:
>> No -- it was implemented; I simply neglected to document it.
 >
> Indeed. It works, though I have another question regarding macros:
> since these are included in the chain ''inline'' so to
speak, is it
> possible for a macro to get the name of the chain in which this
> particular macro is going to be ''inlined''?
It would be possible but I don''t think that it is desirable. Such a 
scheme would prevent being able to use the same switch in multiple chains.
>
> If that is possible, this would have a good practical use in the
> SWITCH column of that macro (which is, indeed, implemented) so that I
> could, for example, use "${chain)_macro_switch" in the SWITCH
column.
Again, I''m not in favor of that approach.
> Related to that question, in case what I''ve just suggested is not
> possible: can I pass more than 1 parameter to a macro?
>
It is not currently possible but it is something that I would like to do 
and it would be my preferred approach to providing the capability that 
you are looking for.

If I can get it implemented in the next week, I''ll include it in
4.5.10;
otherwise, it will have to wait for 4.5.11.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/2012 07:17 AM, Tom Eastep wrote:
> On 11/25/2012 07:08 PM, Mr Dash Four wrote:
>
>> Related to that question, in case what I''ve just suggested is
not
>> possible: can I pass more than 1 parameter to a macro?
>>
>
> It is not currently possible but it is something that I would like to do
> and it would be my preferred approach to providing the capability that
> you are looking for.
>
> If I can get it implemented in the next week, I''ll include it in
4.5.10;
> otherwise, it will have to wait for 4.5.11.
This capability will be in Beta 3.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

>> Indeed. It works, though I have another question regarding macros:
>> since these are included in the chain ''inline'' so to
speak, is it
>> possible for a macro to get the name of the chain in which this
>> particular macro is going to be ''inlined''?
>>     
>
> It would be possible but I don''t think that it is desirable.
Eh? Who decides what is "desirable" and what isn''t?

If I, as end-user, wish to create a macro, which has different switches 
for different chains (so that I switch them "on" and "off"
if and when I
well so please), I could do so, like:

M_DROP
~~~~~~~
LOG
NFLOG(1,0,1) - .... ${chain}_nflog_drop

When the macro is processed, the "${chain}_nflog_drop" switch would be
translated to "fw2net_nflog_drop", "net2fw_nflog_drop" and
so on, and so
forth - different switches for different chains, obviously, and I could 
selectively turn them "on" and "off" when I damn well
please, regardless
of whether this is "desirable" or not, simply because it will be my 
decision, as an administrator of my own firewall, to make.

If I need a macro which has the same switch for *all* chains regardless, 
I could easily use a hard-coded value for the SWITCH column, like so:

M_ALL_DROP
~~~~~~~~~~~~
LOG
NFLOG(1,0,1) - .... nflog_all_drop

So, I don''t see what the issue is here - by allowing the use of this 
"${chain}" variable (this is just an example, you could use whatever 
name is more appropriate - you get the point), whoever creates custom 
macros can decide whether to use this variable in the SWITCH column to 
switch the set of macros selectively, whether to use a hard-coded value 
(like my 2nd example above) to switch all macros in one go, or whether 
not to deploy any switch at all. This should always be a decision for 
the end-user to make regardless.
>  Such a 
> scheme would prevent being able to use the same switch in multiple chains.
>   
How so? If I need a single switch for multiple chains I could use a 
hard-coded value for the SWITCH column (like in my 2nd example above) 
and that would be that.
> It is not currently possible but it is something that I would like to do 
> and it would be my preferred approach to providing the capability that 
> you are looking for.
>
> If I can get it implemented in the next week, I''ll include it in
4.5.10;
> otherwise, it will have to wait for 4.5.11.
>   
The way I see it, this particular feature (passing more than 1 parameter 
to a macro) goes more and more towards "inlined actions". In other 
words, actions, which are inlined in the chain they are specified.

You may wish to leave the current implementation of a "macro" as it is
and add a new type of action (call it inline action or whatever) and 
start afresh if that would be easier, instead of dragging the millstone 
of backward compatibility with you by sticking with the old "macro" 
definition. This, though, is a decision for you to make.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/2012 10:55 AM, Mr Dash Four wrote:
>
>>> Indeed. It works, though I have another question regarding macros:
>>> since these are included in the chain ''inline'' so
to speak, is it
>>> possible for a macro to get the name of the chain in which this
>>> particular macro is going to be ''inlined''?
>>>
>>
>> It would be possible but I don''t think that it is desirable.
> Eh? Who decides what is "desirable" and what isn''t?
>
> If I, as end-user, wish to create a macro, which has different switches
> for different chains (so that I switch them "on" and
"off" if and when I
> well so please), I could do so, like:
>
> M_DROP
> ~~~~~~~
> LOG
> NFLOG(1,0,1) - .... ${chain}_nflog_drop
>
>
...
> You may wish to leave the current implementation of a "macro" as
it is
> and add a new type of action (call it inline action or whatever) and
> start afresh if that would be easier, instead of dragging the millstone
> of backward compatibility with you by sticking with the old
"macro"
> definition. This, though, is a decision for you to make.
I misunderstood your original request; I thought that you were asking 
for the compiler to always qualify switch names by the chain name.

What you are proposing above doesn''t work in the general case, given
the
current compiler architecture. Currently, variable expansion takes place 
in the preprocessor which has no knowledge of chains, macros, etc. The 
chain isn''t known until the input line handed to it by the preprocessor
is parsed by rule processor.

Within the body of a macro or an action, however, the chain name is 
known. So if we limit the availability of $chain (or whatever we call 
it), to macro and action bodies, would that meet your needs?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/2012 11:20 AM, Tom Eastep wrote:
> On 11/26/2012 10:55 AM, Mr Dash Four wrote:
>>
>>>> Indeed. It works, though I have another question regarding
macros:
>>>> since these are included in the chain
''inline'' so to speak, is it
>>>> possible for a macro to get the name of the chain in which this
>>>> particular macro is going to be ''inlined''?
>>>>
>>>
>>> It would be possible but I don''t think that it is
desirable.
>> Eh? Who decides what is "desirable" and what isn''t?
>>
>> If I, as end-user, wish to create a macro, which has different switches
>> for different chains (so that I switch them "on" and
"off" if and when I
>> well so please), I could do so, like:
>>
>> M_DROP
>> ~~~~~~~
>> LOG
>> NFLOG(1,0,1) - .... ${chain}_nflog_drop
>>
>>
> ...
>
>> You may wish to leave the current implementation of a "macro"
as it is
>> and add a new type of action (call it inline action or whatever) and
>> start afresh if that would be easier, instead of dragging the millstone
>> of backward compatibility with you by sticking with the old
"macro"
>> definition. This, though, is a decision for you to make.
>
> I misunderstood your original request; I thought that you were asking
> for the compiler to always qualify switch names by the chain name.
>
> What you are proposing above doesn''t work in the general case,
given the
> current compiler architecture. Currently, variable expansion takes place
> in the preprocessor which has no knowledge of chains, macros, etc. The
> chain isn''t known until the input line handed to it by the
preprocessor
> is parsed by rule processor.
>
> Within the body of a macro or an action, however, the chain name is
> known. So if we limit the availability of $chain (or whatever we call
> it), to macro and action bodies, would that meet your needs?
Actually, the chain name is only known within the body of an action or 
within a macro expansion occurring within the body of an action.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/2012 11:20 AM, Tom Eastep wrote:
>
> What you are proposing above doesn''t work in the general case,
given the
> current compiler architecture. Currently, variable expansion takes place
> in the preprocessor which has no knowledge of chains, macros, etc. The
> chain isn''t known until the input line handed to it by the
preprocessor
> is parsed by rule processor.
>
> Within the body of a macro or an action, however, the chain name is
> known. So if we limit the availability of $chain (or whatever we call
> it), to macro and action bodies, would that meet your needs?
>
Or how about a more focused solution whereby the character ''@''
in a
switch name would be replaced by the chain name?

Example:

	NFLOG(1,0,1) net	fw	; switch=@_foo

     would would be the equivalent of:

	NFLOG(1,0,1) net	fw	; switch=net2fw_foo

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> Or how about a more focused solution whereby the character
''@'' in a
> switch name would be replaced by the chain name?
>
> Example:
>
> 	NFLOG(1,0,1) net	fw	; switch=@_foo
>
>      would would be the equivalent of:
>
> 	NFLOG(1,0,1) net	fw	; switch=net2fw_foo
>   
That is all excellent, though looking a bit into possible feature 
expansion/enhancement, where some (other) system/shorewall (internal) 
resource/variables could be made available to actions/macros in the 
future, you may need to use the "@" character to indicate a 
system/shorewall (internal) resource/variable, followed by its name. In 
our (the only one, at least for now) use-case, this could take the form 
of "@chain".

Possible gotcha, however, is in the case where system variable names and 
chain names could accidentally overlap, so to play it safe, you may want 
to use the "@chain@" syntax, or something more suitable (one other 
possible and very good alternative could be to borrow the bash syntax - 
"@{chain}").

To summarise: "@chain" (possible gotchas) and/or
"@chain@"/"@{chain}" as
alternatives to avoid overlaps.

Any further resources/variables you wish to make available in the future 
(one possible candidate I could think of right now could be the current 
log prefix, like "Shorewall:<chain>:<operation>" used in
an
action/macros) could easily be expanded to "@something", keeping the 
consistency. How''s that?


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> Actually, the chain name is only known within the body of an action or 
> within a macro expansion occurring within the body of an action.
>   
If I use that macro in "rules" or "policy" for example,
would the
statements in the body of that macro know that chain name? If not, then 
the way forward, I think, would be for "inline actions" as I suggested
in my previous post and keep the "old" macro format and implementation
as it is. Any other ideas?


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> I misunderstood your original request;
I thought as much.
> What you are proposing above doesn''t work in the general case,
given the
> current compiler architecture. Currently, variable expansion takes place 
> in the preprocessor which has no knowledge of chains, macros, etc. The 
> chain isn''t known until the input line handed to it by the
preprocessor
> is parsed by rule processor.
>
> Within the body of a macro or an action, however, the chain name is 
> known. So if we limit the availability of $chain (or whatever we call 
> it), to macro and action bodies, would that meet your needs?
>   
It would, and I actually think it would be much better. Given your next 
response, however, that might not be possible.

My gut feeling tells me that it would be better to keep the "old"
macros
the way they are and create a new "inline action" type where more than
1
parameter is allowed (addressed with "$1, $2 etc - the way actions are 
at present), making internal system/shorewall variable/resource 
available to that action in the way I suggested in my previous post.

I don''t know how doable/difficult this would be as my perl skills are 
close to nil and I don''t have enough knowledge of the internal
shorewall
workings to make that judgement - this is a decision you have to take 
though.


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/12 3:46 PM, Mr Dash Four wrote:
> 
>> Or how about a more focused solution whereby the character
''@'' in a
>> switch name would be replaced by the chain name?
>>
>> Example:
>>
>> 	NFLOG(1,0,1) net	fw	; switch=@_foo
>>
>>      would would be the equivalent of:
>>
>> 	NFLOG(1,0,1) net	fw	; switch=net2fw_foo
>>   
> That is all excellent, though looking a bit into possible feature 
> expansion/enhancement, where some (other) system/shorewall (internal) 
> resource/variables could be made available to actions/macros in the 
> future, you may need to use the "@" character to indicate a 
> system/shorewall (internal) resource/variable, followed by its name. In 
> our (the only one, at least for now) use-case, this could take the form 
> of "@chain".
> 
> Possible gotcha, however, is in the case where system variable names and 
> chain names could accidentally overlap, so to play it safe, you may want 
> to use the "@chain@" syntax, or something more suitable (one
other
> possible and very good alternative could be to borrow the bash syntax - 
> "@{chain}").
> 
> To summarise: "@chain" (possible gotchas) and/or
"@chain@"/"@{chain}" as
> alternatives to avoid overlaps.
> 
> Any further resources/variables you wish to make available in the future 
> (one possible candidate I could think of right now could be the current 
> log prefix, like "Shorewall:<chain>:<operation>" used
in an
> action/macros) could easily be expanded to "@something", keeping
the
> consistency. How''s that?
Let''s start with the simple targeted solution for this release and I
will investigate something more elaborate for next release. It can be
made backward compatible if we adopt the shell @{...} syntax as the
enhanced form.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/12 3:46 PM, Mr Dash Four wrote:
> 
>> Actually, the chain name is only known within the body of an action or 
>> within a macro expansion occurring within the body of an action.
>>   
> If I use that macro in "rules" or "policy" for example,
would the
> statements in the body of that macro know that chain name? If not, then 
> the way forward, I think, would be for "inline actions" as I
suggested
> in my previous post and keep the "old" macro format and
implementation
> as it is. Any other ideas?
When you first asked for something inline (like a macro) as a default
action, I took short look at inline actions. Using a macro was cheaper a
more foolproof to implement so I chose that approach. I personally think
that inline actions are an interesting and useful idea and would like to
pursue them in the next release.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/12 3:46 PM, Mr Dash Four wrote:
> 
>> I misunderstood your original request;
> I thought as much.
> 
>> What you are proposing above doesn''t work in the general case,
given the
>> current compiler architecture. Currently, variable expansion takes
place
>> in the preprocessor which has no knowledge of chains, macros, etc. The 
>> chain isn''t known until the input line handed to it by the
preprocessor
>> is parsed by rule processor.
>>
>> Within the body of a macro or an action, however, the chain name is 
>> known. So if we limit the availability of $chain (or whatever we call 
>> it), to macro and action bodies, would that meet your needs?
>>   
> It would, and I actually think it would be much better. Given your next 
> response, however, that might not be possible.
> 
> My gut feeling tells me that it would be better to keep the "old"
macros
> the way they are and create a new "inline action" type where more
than 1
> parameter is allowed (addressed with "$1, $2 etc - the way actions are
> at present), making internal system/shorewall variable/resource 
> available to that action in the way I suggested in my previous post.
> 
> I don''t know how doable/difficult this would be as my perl skills
are
> close to nil and I don''t have enough knowledge of the internal
shorewall
> workings to make that judgement - this is a decision you have to take 
> though.
I''ll work on the inline action idea for the next release.

Regards,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> Let''s start with the simple targeted solution for this release and
I
> will investigate something more elaborate for next release. It can be
> made backward compatible if we adopt the shell @{...} syntax as the
> enhanced form.
>   
Good enough, I think, though I am not certain if you adopt a single
"@"
character now to mean "${chain}" (in bash speak), how are you going to
expand this later on to, say, "@{something}" - this won''t be
backwards
compatible at all?


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> When you first asked for something inline (like a macro) as a default
> action, I took short look at inline actions. Using a macro was cheaper a
> more foolproof to implement so I chose that approach. I personally think
> that inline actions are an interesting and useful idea and would like to
> pursue them in the next release.
>   
OK, so to provide the chain name in a body of a macro is doable then, I 
take it?


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/12 5:15 PM, Mr Dash Four wrote:
> 
>> Let''s start with the simple targeted solution for this release
and I
>> will investigate something more elaborate for next release. It can be
>> made backward compatible if we adopt the shell @{...} syntax as the
>> enhanced form.
>>   
> Good enough, I think, though I am not certain if you adopt a single
"@"
> character now to mean "${chain}" (in bash speak), how are you
going to
> expand this later on to, say, "@{something}" - this
won''t be backwards
> compatible at all?
I will expand @{....} first; then any leftover ''@'' characters
will be
expanded to ${chain}.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/12 5:15 PM, Mr Dash Four wrote:
> 
>> When you first asked for something inline (like a macro) as a default
>> action, I took short look at inline actions. Using a macro was cheaper
a
>> more foolproof to implement so I chose that approach. I personally
think
>> that inline actions are an interesting and useful idea and would like
to
>> pursue them in the next release.
>>   
> OK, so to provide the chain name in a body of a macro is doable then, I 
> take it?

Yes.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> I will expand @{....} first; then any leftover ''@''
characters will be
> expanded to ${chain}.
>   
Right, got it, makes sense.

One other query, this time regarding switches: the man page says that a 
switch is "on" when its corresponding value in /proc/net/nf_condition
is
1. You also have an inversion, so that when something like 
"!switch_name" is specified, then the switch is "on" when
the value is 0
and "off" when that value is 1 (the opposite of the "normal"
behaviour).

So, if I want a particular switch to be "on" from the start I have, 
basically, two options: issue "echo 1 > 
/proc/net_nf_condition/switch_name" in "init", "start"
or "started", or,
use inversion with "!switch_name".

Both of these options are not ideal: with the first option I have to 
keep track of which option needs to be activated/deactivated, while for 
the second option, I also need to keep track of what has been inverted. 
That might be OK for a small number of switches, but when I have a 
sizeable number of them, this might become more difficult to remember 
and maintain.

What I am getting at is this: would it be possible to have something 
like "switch_name=1" (you may substitute "1" with
"Yes", "True" or
"TRUE" if it is easier to process) to indicate the initial value which
should be assumed for that switch when shorewall starts?

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/27/2012 06:31 AM, Mr Dash Four wrote:
>
> What I am getting at is this: would it be possible to have something
> like "switch_name=1" (you may substitute "1" with
"Yes", "True" or
> "TRUE" if it is easier to process) to indicate the initial value
which
> should be assumed for that switch when shorewall starts?
I assume that:

1) Only the ''start'' command initializes the switches; other
commands
    leave them as they are?

2) If the same switch is initialized to different values in different 	
    rules, then an error message is to be generated?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net

> 1) Only the ''start'' command initializes the switches;
other commands
>     leave them as they are?
>   
Yep, simply because switches, once initialised, are persistent 
regardless of the state of shorewall, so it would only make sense to 
initialise them:  1. within "init" inside ''if [
"$COMMAND" = start ];
then''; or 2. within "start" or "started" inside
"if [ ! -f
"/proc/net/nf_condition/switch_name" ]; then".
> 2) If the same switch is initialized to different values in different 	
>     rules, then an error message is to be generated?
>   
Hmm, haven''t thought of that - makes sense, not just for
"rules", but
for various other places where SWITCH column could be used (in the man 
page describing this functionality you could point out that the initial 
value could be set in "params", so that this sort of error could be 
avoided).


------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net

On 11/27/2012 03:00 PM, Mr Dash Four wrote:
> 
>> 1) Only the ''start'' command initializes the switches;
other commands
>>     leave them as they are?
>>   
> Yep, simply because switches, once initialised, are persistent 
> regardless of the state of shorewall, so it would only make sense to 
> initialise them:  1. within "init" inside ''if [
"$COMMAND" = start ];
> then''; or 2. within "start" or "started"
inside "if [ ! -f
> "/proc/net/nf_condition/switch_name" ]; then".
''init'' won''t work because the switches don''t
yet exist before initial
''start''.
> 
>> 2) If the same switch is initialized to different values in different 	
>>     rules, then an error message is to be generated?
>>   
> Hmm, haven''t thought of that - makes sense, not just for
"rules", but
> for various other places where SWITCH column could be used (in the man 
> page describing this functionality you could point out that the initial 
> value could be set in "params", so that this sort of error could
be
> avoided).
But then you have to make an entry in "params" for each switch; might
as
well make it in ''started''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net

> ''init'' won''t work because the switches
don''t yet exist before initial
> ''start''.
>   
Ah, right!
> But then you have to make an entry in "params" for each switch;
might as
> well make it in ''started''.
>   
Not necessarily. I could have a parameter called 
"essential_logging_group=1" and use that for all switches I wish to 
include in that group (bearing in mind my previous LOG/NFLOG action 
examples) - it is not 100% fool-proof, but it is a bit more consistent 
than simply using 0/1, at least in my case.


------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net

On 11/27/2012 06:31 AM, Mr Dash Four wrote:
>
>> I will expand @{....} first; then any leftover ''@''
characters will be
>> expanded to ${chain}.
>>
Given that $0 (and ${0}) expand to the chain name in macros and actions, 
it seems reasonable to adopt @{0} rather than simply ''@''. Beta
3
implements the simple ''@'' replacement (not documented in the
release
notes) but I think I''ll change it if there are no objections.

Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
VERIFY Test and improve your parallel project with help from experts 
and peers. http://goparallel.sourceforge.net

> Given that $0 (and ${0}) expand to the chain name in macros and 
> actions, it seems reasonable to adopt @{0} rather than simply
''@''.
> Beta 3 implements the simple ''@'' replacement (not
documented in the
> release notes) but I think I''ll change it if there are no
objections.
I don''t see the need for using ''@'' or
''@{0}'' - at least for the time
being until you introduce more ''system'' variables in addition
to the
chain name. If you wish to adopt ''@{X}'' for action parameters
(instead
of, or in addition to, the current ''$X'' or
''${X}'') then that''s fine,
but, for the time being at least, I don''t see the need for this. My two
pence, of course.


------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
VERIFY Test and improve your parallel project with help from experts 
and peers. http://goparallel.sourceforge.net