Shorewall devel - Nov 2012 - Shorewall 4.5.10 Beta 2

Beta 2 is now available for testing.

Problems Corrected since Beta 1:

1)  References to the obsolete USE_ACTIONS option have been removed
     from the manpages.

2)  NFLOG has been documented for some time as a valid ACTION in the
     rules files but support for that action was never implemented
     until this release.

3)  The Checksum Target capability detection in the rules compiler was
     broken with the result that the presence of the capability was not
     detected.

4)  If an interface named in the INTERFACE column was not defined in
     tcdevices and if the REDIRECTED column for that entry was
     non-empty, then compile-time Perl diagnostics were generated and an
     invalid firewall script was generated.

5)  When LOAD_HELPERS_ONLY=No, the ''compile'' command
previously left
     behind a temporary chain in the raw table.

6)  Under very rare circumstances involving exclusion in multiple
     Netfilter tables, optimization level 8 could result in
     start/restart failure or jumps to the wrong exclusion chain.

7)  4.5.9.2 broke multi-ISP on RHEL5-based systems. This release
     includes a patch from Tuomo Soini that corrects the problem.

8)  The ''debug'' keyword is no longer ignored by the
''try'', ''stop'' and
     ''clear'' command executors.

9)  Using the ''NOTRACK'' action in the stoppedrules file was
previously
     broken when $FW was specified in the SOURCE column. In such cases,
     the generated rule was being placed incorrectly in the filter table
     rather than in the raw table which resulted in a failure of the
     ''stop'' and ''clear'' commands.

New Features added since Beta 1:

1)  The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now
     support the UNTRACKED state. See the manpages for details.

2)  The /etc/shorewall/conntrack and /etc/shorewall6/conntrack files
     now support a DROP target.

     As part of this change, the handling of ''all'' has been
improved in
     these files. When ''all'' is specified in the SOURCE
column, the
     resulting rule is added directly to the PREROUTING and OUTPUT
     chains. Additionally, ''all'' may be qualified with
network/host
     addresses, ipsets, etc. Rules specifying $FW in the SOURCE column
     are added directly to the OUTPUT chain.

     It is now possible to specify ''all-'' in the SOURCE column
which
     causes the rule to be added directly in the PREROUTING chain.

     A consequence of this change is that ''all'',
''all-'' and ''$FW'' rules
     will be processed after rules naming a specific zone.

3)  A SWITCH column has been added to the /etc/shorewall/conntrack and
     /etc/shorewall/conntrack6 files.

4)  An AUDIT action has been added to the /etc/shorewall/rules and
     /etc/shorewall6/rules.

5)  The audited targets (A_ACCEPT, A_DROP, etc.) are now supported in
     /etc/shorewall6/rules.

6)  An additional format (3) has been added to the conntrack files. In
     this format, zone names are not used in the SOURCE column; rather,
     a suffix in the ACTION column determines which raw-table chain the
     generated Netfilter rule will be placed in. See the manpages for
     details.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

Quite a meaty release this...
> 1)  The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now
>      support the UNTRACKED state. See the manpages for details.
>From the man page: "CHAIN:STATE (chain) -
{P|I|F|O|T}[:{N|I|U|NI|NU|NIU|NUI:E|ER}]". Could you add IU (or UI, if you
prefer) state as well?
> 2)  NFLOG has been documented for some time as a valid ACTION in the
>      rules files but support for that action was never implemented
>      until this release.
Works perfectly.
> 2)  The /etc/shorewall/conntrack and /etc/shorewall6/conntrack files
>      now support a DROP target.
> 
>      As part of this change, the handling of ''all'' has
been improved in
>      these files. When ''all'' is specified in the SOURCE
column, the
>      resulting rule is added directly to the PREROUTING and OUTPUT
>      chains. Additionally, ''all'' may be qualified with
network/host
>      addresses, ipsets, etc. Rules specifying $FW in the SOURCE column
>      are added directly to the OUTPUT chain.
> 
>      It is now possible to specify ''all-'' in the SOURCE
column which
>      causes the rule to be added directly in the PREROUTING chain.
> 
>      A consequence of this change is that ''all'',
''all-'' and ''$FW'' rules
>      will be processed after rules naming a specific zone.
> 3)  A SWITCH column has been added to the /etc/shorewall/conntrack and
>      /etc/shorewall/conntrack6 files.
I am unable to test this properly (see below).
> 4)  An AUDIT action has been added to the /etc/shorewall/rules and
>      /etc/shorewall6/rules.
rules
~~~~~
AUDIT(drop)

Gives me "ERROR: The AUDIT TARGET does not accept a parameter". Same
goes if that is used in a macro.
> 6)  An additional format (3) has been added to the conntrack files. In
>      this format, zone names are not used in the SOURCE column; rather,
>      a suffix in the ACTION column determines which raw-table chain the
>      generated Netfilter rule will be placed in. See the manpages for
>      details.
Quite a lot of issues here:

1. http://www.shorewall.net/manpages/shorewall-conntrack.html is a dead link
(Shorewall -> Documentation -> IPv4 man pages -> conntrack)

2. From the man pages for conntrack:

ACTION - {NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}[:chain-designator]
           This column is only present when FORMAT = 2. Values other than
NOTRACK or DROP require CT Targetsupport in your iptables and kernel.
           *   NOTRACK or CT:notrack
               Disables connection tracking for this packet.

           *   DROP
               Added in Shorewall 4.5.10. Silently discard the packet.
[...]
Beginning with Shoreall 4.5.10, when FORMAT = 3, this column can end with a
colon followed by a chain-designator. The chain-designator can be one of the
following:
           P The rule is added to the raw table PREROUTING chain. This is the
default if no chain-designator is present.
           O The rule is added to the raw table OUTPUT chain.
           PO or OP The rule is added to the raw table PREROUTING and OUTPUT
chains.

OK, so I assume that if FORMAT=3, ACTION column should NOT be present, right? If
so, how do I use DROP or any other actions then?

3. "DROP" is not included as being allowed in the ACTION column in the
ACTION format specified in that man page (assuming that it is and the correct
format is
"{DROP|NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}[:chain-designator]").

4. Moving on, and ignoring the above "FORMAT=2 only" text in the man
page and also assuming that the correct format for "FORMAT 3" is to
include the ACTION column with the format I specified in 3 above, including the
"DROP" action:

conntrack
~~~~~~~~~
DROP:O :+baddies-set[dst]

Gives me "ERROR: Invalid notrack ACTION ( DROP:O )"

5. FORMAT 3 itself:
>From the man page (conntrack):
[...]
in FORMAT 3, the SOURCE column accepts no zone name; rather the ACTION column
allows a SUFFIX that determines the chain(s) that the generated rule will be
added to."
[...]
SOURCE (formats 1 and 2) - {zone[:interface][:address-list]|COMMENT}
[...]
SOURCE (formats 3) - {-|[:interface][:address-list}

Why can''t you get rid of the ":chain-designator" from ACTION
(FORMAT 3) and have the following in SOURCE instead:

{{zone|:chain-designator}[:interface][:address-list]|COMMENT}

Note the preceding ":" for the chain-designator - this could be any
"special" character (not allowed to be used in zones definition),
enabling you to make distinction between zone name and start of
"chain-designator". That way, I could use something like the following
for SOURCE, without involving any other columns, to specify the chain I wish to
use:

1. :P:eth0:+baddies-set[src]
2. all-:eth0:+baddies-set[src]
3. :PO:eth0:10.0.0.0/8
4. all:eth0:10.0.0.0/8
5. COMMENT whatever

Why involve another column (ACTION) where the destination chain is to be
determined when you can have everything in one place (the SOURCE column in this
case)?

Finally - a suggestion (new feature): would it be possible to add SWITCH column
to actions/macros?


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 05:00 AM, Mr Dash Four wrote:
> rules
> ~~~~~
> AUDIT(drop)
>
> Gives me "ERROR: The AUDIT TARGET does not accept a parameter".
Same goes if that is used in a macro.
Damn -- added an optimization and neglected to re-test. Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 05:00 AM, Mr Dash Four wrote:
>
> Quite a meaty release this...
>
>> 1)  The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now
>>       support the UNTRACKED state. See the manpages for details.
>>From the man page: "CHAIN:STATE (chain) -
{P|I|F|O|T}[:{N|I|U|NI|NU|NIU|NUI:E|ER}]". Could you add IU (or UI, if you
prefer) state as well?
Done -- it is commit dbfc8057077950a909d27a5ce1b00f802730a1ff.
>
>> 6)  An additional format (3) has been added to the conntrack files. In
>>       this format, zone names are not used in the SOURCE column;
rather,
>>       a suffix in the ACTION column determines which raw-table chain
the
>>       generated Netfilter rule will be placed in. See the manpages for
>>       details.
> Quite a lot of issues here:
>
> 1. http://www.shorewall.net/manpages/shorewall-conntrack.html is a dead
link (Shorewall -> Documentation -> IPv4 man pages -> conntrack)
Corrected -- thanks.
>
> 2. From the man pages for conntrack:
>
> ACTION -
{NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}[:chain-designator]
>             This column is only present when FORMAT = 2. Values other than
NOTRACK or DROP require CT Targetsupport in your iptables and kernel.
>             *   NOTRACK or CT:notrack
>                 Disables connection tracking for this packet.
>
>             *   DROP
>                 Added in Shorewall 4.5.10. Silently discard the packet.
> [...]
> Beginning with Shoreall 4.5.10, when FORMAT = 3, this column can end with a
colon followed by a chain-designator. The chain-designator can be one of the
following:
>             P The rule is added to the raw table PREROUTING chain. This is
the default if no chain-designator is present.
>             O The rule is added to the raw table OUTPUT chain.
>             PO or OP The rule is added to the raw table PREROUTING and
OUTPUT chains.
>
> OK, so I assume that if FORMAT=3, ACTION column should NOT be present,
right? If so, how do I use DROP or any other actions then?
The action column is present and may contain DROP. Manpages
corrected.
>
> 3. "DROP" is not included as being allowed in the ACTION column
in the
> ACTION format specified in that man page (assuming that it is and the
> correct format is
"{DROP|NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}[:chain-designator]").

Correct.
>
> 4. Moving on, and ignoring the above "FORMAT=2 only" text in the
man
> page and also assuming that the correct format for "FORMAT 3" is
to
> include the ACTION column with the format I specified in 3 above,
> including the "DROP" action:
> conntrack
> ~~~~~~~~~
> DROP:O :+baddies-set[dst]
>
> Gives me "ERROR: Invalid notrack ACTION ( DROP:O )"
Duh -- tested ''P'' and ''PO'' but not
''O''; patch attached.
>
> 5. FORMAT 3 itself:
>
>>From the man page (conntrack):
>
> [...]
> in FORMAT 3, the SOURCE column accepts no zone name; rather the ACTION
column allows a SUFFIX that determines the chain(s) that the generated rule will
be added to."
> [...]
> SOURCE (formats 1 and 2) - {zone[:interface][:address-list]|COMMENT}
> [...]
> SOURCE (formats 3) - {-|[:interface][:address-list}
>
> Why can''t you get rid of the ":chain-designator" from
ACTION (FORMAT 3) and have the following in SOURCE instead:
I considered that approach but rejected.

1) A chain is not a SOURCE and using a chain-designator in place of
    a zone is not intuitive.
2) The chain-designator suffix is already well-established in the
    tcrules file.
3) As you point out below, additional hackery is required to resolve
    zone/chain-designator name collisions.
>
> Finally - a suggestion (new feature): would it be possible to add SWITCH
column to actions/macros?
>
It''s already there -- just not documented.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

Tom

In the attached config. conntrack entries:

DROP  all  eth0	  udp  1
DROP  all  eth1  udp  1

produce the following error message:

/var/lib/shorewall/.start: 2242: Syntax error: "}" unexpected
(expecting
"done")

Steven.



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 02:50 PM, Steven Jan Springl wrote:
> In the attached config. conntrack entries:
> 
> DROP  all  eth0	  udp  1
> DROP  all  eth1  udp  1
> 
> produce the following error message:
> 
> /var/lib/shorewall/.start: 2242: Syntax error: "}" unexpected
(expecting
> "done")
I''m going to disallow a interface in the DEST column when the chain is
OUTPUT. That restriction also holds in the tcrules file.

Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On Sunday 25 Nov 2012 23:33:40 Tom Eastep wrote:
> On 11/25/2012 02:50 PM, Steven Jan Springl wrote:
> > In the attached config. conntrack entries:
> > 
> > DROP  all  eth0	  udp  1
> > DROP  all  eth1  udp  1
> > 
> > produce the following error message:
> > 
> > /var/lib/shorewall/.start: 2242: Syntax error: "}"
unexpected (expecting
> > "done")
> 
> I''m going to disallow a interface in the DEST column when the
chain is
> OUTPUT. That restriction also holds in the tcrules file.
> 
> Patch attached.
> 
> -Tom
Tom

The patch resolves the issue.

However, if the conntrack entries are changed to:

DROP  all-  eth0  udp  1
DROP  all-  eth1  udp  1

the same error message is produced.

Steven. 

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 03:58 PM, Steven Jan Springl wrote:
> On Sunday 25 Nov 2012 23:33:40 Tom Eastep wrote:
>> On 11/25/2012 02:50 PM, Steven Jan Springl wrote:
>>> In the attached config. conntrack entries:
>>>
>>> DROP  all  eth0	  udp  1
>>> DROP  all  eth1  udp  1
>>>
>>> produce the following error message:
>>>
>>> /var/lib/shorewall/.start: 2242: Syntax error: "}"
unexpected (expecting
>>> "done")
>>
>> I''m going to disallow a interface in the DEST column when the
chain is
>> OUTPUT. That restriction also holds in the tcrules file.
>>
>> Patch attached.
>>
>> -Tom
> 
> Tom
> 
> The patch resolves the issue.
> 
> However, if the conntrack entries are changed to:
> 
> DROP  all-  eth0  udp  1
> DROP  all-  eth1  udp  1
> 
> the same error message is produced.
Optimizer bug -- patch attached.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 03:33 PM, Tom Eastep wrote:
> On 11/25/2012 02:50 PM, Steven Jan Springl wrote:
>> In the attached config. conntrack entries:
>>
>> DROP  all  eth0	  udp  1
>> DROP  all  eth1  udp  1
>>
>> produce the following error message:
>>
>> /var/lib/shorewall/.start: 2242: Syntax error: "}" unexpected
(expecting
>> "done")
> 
> I''m going to disallow a interface in the DEST column when the
chain is
> OUTPUT. That restriction also holds in the tcrules file.
It turns out to be fairly simple to allow destination interfaces in the
DEST column for OUTPUT chain rules. Commit is
4e401d6f2903cc6798ac59a54c342eeb16d13f65.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> Done -- it is commit dbfc8057077950a909d27a5ce1b00f802730a1ff.
What''s the url for that?
> Duh -- tested ''P'' and ''PO'' but not
''O''; patch attached.
Hehe, zeros and O''s - there is a bit of a difference between the two,
even in perl. Get yourself a proper font so that you could easily see that
difference more easily...Still doesn''t work though:

conntrack
~~~~~~~~~
DROP:O :+baddies-set[dst]

I am getting "ERROR: Unknown Interface (:+baddies-set[dst])".

"SOURCE (formats 3) - {-|[:interface][:address-list}" should really be
"SOURCE (formats 3) - {-|[:interface][:address-list]}", though see my
thoughts on this format below.
>> Why can''t you get rid of the ":chain-designator"
from ACTION (FORMAT
>> 3) and have the following in SOURCE instead:
> 
> I considered that approach but rejected.
> 
> 1) A chain is not a SOURCE and using a chain-designator in place of
>    a zone is not intuitive.
You already use "all", "all-" and "$FW" to do the
same thing - all you have to do is substitute/add ":PO" instead of/in
addition to "all" and do the same for "all-" and
"$FW". I am no perl expert, but that can''t be very difficult
to implement and should not involve "hackery", as you put it.
>> Finally - a suggestion (new feature): would it be possible to add
>> SWITCH column to actions/macros?
>>
> 
> It''s already there -- just not documented.
That works too.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> Damn -- added an optimization and neglected to re-test. Patch attached.
It works.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On Monday 26 Nov 2012 01:10:55 Tom Eastep wrote:
> On 11/25/2012 03:58 PM, Steven Jan Springl wrote:
> > On Sunday 25 Nov 2012 23:33:40 Tom Eastep wrote:
> >> On 11/25/2012 02:50 PM, Steven Jan Springl wrote:
> >>> In the attached config. conntrack entries:
> >>> 
> >>> DROP  all  eth0	  udp  1
> >>> DROP  all  eth1  udp  1
> >>> 
> >>> produce the following error message:
> >>> 
> >>> /var/lib/shorewall/.start: 2242: Syntax error: "}"
unexpected
> >>> (expecting "done")
> >> 
> >> I''m going to disallow a interface in the DEST column when
the chain is
> >> OUTPUT. That restriction also holds in the tcrules file.
> >> 
> >> Patch attached.
> >> 
> >> -Tom
> > 
> > Tom
> > 
> > The patch resolves the issue.
> > 
> > However, if the conntrack entries are changed to:
> > 
> > DROP  all-  eth0  udp  1
> > DROP  all-  eth1  udp  1
> > 
> > the same error message is produced.
> 
> Optimizer bug -- patch attached.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch fixes the bug.

Thanks

Steven.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On Monday 26 Nov 2012 02:07:59 Tom Eastep wrote:
> On 11/25/2012 03:33 PM, Tom Eastep wrote:
> > On 11/25/2012 02:50 PM, Steven Jan Springl wrote:
> >> In the attached config. conntrack entries:
> >> 
> >> DROP  all  eth0	  udp  1
> >> DROP  all  eth1  udp  1
> >> 
> >> produce the following error message:
> >> 
> >> /var/lib/shorewall/.start: 2242: Syntax error: "}"
unexpected (expecting
> >> "done")
> > 
> > I''m going to disallow a interface in the DEST column when the
chain is
> > OUTPUT. That restriction also holds in the tcrules file.
> 
> It turns out to be fairly simple to allow destination interfaces in the
> DEST column for OUTPUT chain rules. Commit is
> 4e401d6f2903cc6798ac59a54c342eeb16d13f65.
> 
> -Tom
Tom

I cannot find the above commit.

Steven. 

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/2012 03:48 AM, Steven Jan Springl wrote:
> On Monday 26 Nov 2012 02:07:59 Tom Eastep wrote:
>> On 11/25/2012 03:33 PM, Tom Eastep wrote:
>>> On 11/25/2012 02:50 PM, Steven Jan Springl wrote:
>>>> In the attached config. conntrack entries:
>>>>
>>>> DROP  all  eth0	  udp  1
>>>> DROP  all  eth1  udp  1
>>>>
>>>> produce the following error message:
>>>>
>>>> /var/lib/shorewall/.start: 2242: Syntax error: "}"
unexpected (expecting
>>>> "done")
>>>
>>> I''m going to disallow a interface in the DEST column when
the chain is
>>> OUTPUT. That restriction also holds in the tcrules file.
>>
>> It turns out to be fairly simple to allow destination interfaces in the
>> DEST column for OUTPUT chain rules. Commit is
>> 4e401d6f2903cc6798ac59a54c342eeb16d13f65.
>>
>> -Tom
>
> Tom
>
> I cannot find the above commit.
>
Steven,

Correct commit is e7dee420eead7930bbfe3ac284a8a7715df56b3a.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/25/2012 07:09 PM, Mr Dash Four wrote:
>
>> Done -- it is commit dbfc8057077950a909d27a5ce1b00f802730a1ff.
> What''s the url for that?
>
>> Duh -- tested ''P'' and ''PO'' but not
''O''; patch attached.
> Hehe, zeros and O''s - there is a bit of a difference between the
two, even in perl. Get yourself a proper font so that you could easily see that
difference more easily...Still doesn''t work though:
>
> conntrack
> ~~~~~~~~~
> DROP:O :+baddies-set[dst]
>
> I am getting "ERROR: Unknown Interface (:+baddies-set[dst])".
>
> "SOURCE (formats 3) - {-|[:interface][:address-list}" should
really be "SOURCE (formats 3) - {-|[:interface][:address-list]}",
though see my thoughts on this format below.
The manpage is wrong (copy/paste error). The rule generator never 
accepts leading semicolons in a SOURCE or DEST.

SOURCE (format 3) -
[interface[:address-list]]|[address-list]
>
>>> Why can''t you get rid of the ":chain-designator"
from ACTION (FORMAT
>>> 3) and have the following in SOURCE instead:
>>
>> I considered that approach but rejected.
>>
>> 1) A chain is not a SOURCE and using a chain-designator in place of
>>     a zone is not intuitive.
> You already use "all", "all-" and "$FW" to do
the same thing - all
> you  have to do is substitute/add ":PO" instead of/in addition to
"all" and
> do the same for "all-" and "$FW". I am no perl expert,
but that can''t be
> very difficult to implement and should not involve "hackery", as
you put it.
>
''all'' and ''all-'' have been reserved names
from day one and $FW is a
simple shell variable that expands to the name of a zone.
''PO'', ''P'' and
''O'' are not reserved.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> The manpage is wrong (copy/paste error). The rule generator never 
> accepts leading semicolons in a SOURCE or DEST.
>
> SOURCE (format 3) - [interface[:address-list]]|[address-list]
>   
That explains it. So, the correct syntax for FORMAT 3 would be "DROP:O 
+baddies-set" then, right?
>>>> Why can''t you get rid of the
":chain-designator" from ACTION (FORMAT
>>>> 3) and have the following in SOURCE instead:
>>>>         
>>> I considered that approach but rejected.
>>>
>>> 1) A chain is not a SOURCE and using a chain-designator in place of
>>>     a zone is not intuitive.
>>>       
>> You already use "all", "all-" and "$FW"
to do the same thing - all
>> you  have to do is substitute/add ":PO" instead of/in
addition to "all" and
>> do the same for "all-" and "$FW". I am no perl
expert, but that can''t be
>> very difficult to implement and should not involve "hackery",
as you put it.
>>
>>     
>
> ''all'' and ''all-'' have been reserved
names from day one and $FW is a
> simple shell variable that expands to the name of a zone.
''PO'', ''P'' and
> ''O'' are not reserved.
>   
I still can''t fathom why is it so difficult to keep everything in one 
place and include chain designator definition as part of SOURCE, not 
ACTION, but if that''s the route you wish to take, so be it -
I''ll alter
my own copy later on to do what I want.


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/2012 06:54 AM, Mr Dash Four wrote:
>
>> The manpage is wrong (copy/paste error). The rule generator never
>> accepts leading semicolons in a SOURCE or DEST.
>>
>> SOURCE (format 3) - [interface[:address-list]]|[address-list]
>>
> That explains it. So, the correct syntax for FORMAT 3 would be "DROP:O
> +baddies-set" then, right?
>
>>>>> Why can''t you get rid of the
":chain-designator" from ACTION (FORMAT
>>>>> 3) and have the following in SOURCE instead:
>>>>>
>>>> I considered that approach but rejected.
>>>>
>>>> 1) A chain is not a SOURCE and using a chain-designator in
place of
>>>>      a zone is not intuitive.
>>>>
>>> You already use "all", "all-" and
"$FW" to do the same thing - all
>>> you  have to do is substitute/add ":PO" instead of/in
addition to "all" and
>>> do the same for "all-" and "$FW". I am no perl
expert, but that can''t be
>>> very difficult to implement and should not involve
"hackery", as you put it.
>>>
>>>
>>
>> ''all'' and ''all-'' have been reserved
names from day one and $FW is a
>> simple shell variable that expands to the name of a zone.
''PO'', ''P'' and
>> ''O'' are not reserved.
>>
> I still can''t fathom why is it so difficult to keep everything in
one
> place and include chain designator definition as part of SOURCE, not
> ACTION, but if that''s the route you wish to take, so be it -
I''ll alter
> my own copy later on to do what I want.

It is not difficult; I just think that it is wrong.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

> It is not difficult; I just think that it is wrong.
>   
Fair enough. Have I got the format 3 right then (as indicated in my 
previous post)?

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/2012 06:57 AM, Mr Dash Four wrote:
>
>> It is not difficult; I just think that it is wrong.
>>
> Fair enough. Have I got the format 3 right then (as indicated in my
> previous post)?
>
In the SOURCE column, you can have one of:

	<interface>
	<interface>:<address-list>
	<address-list>

In the DEST column, you can have one of:

	<interface>
	<address-list>

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/26/2012 06:30 AM, Tom Eastep wrote:
> On 11/26/2012 03:48 AM, Steven Jan Springl wrote:
>> I cannot find the above commit.
>
> Correct commit is e7dee420eead7930bbfe3ac284a8a7715df56b3a.
>
Here is a follow-on patch that eliminates some undesirable side effects 
of the above commit.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On Monday 26 Nov 2012 15:51:01 Tom Eastep wrote:
> On 11/26/2012 06:30 AM, Tom Eastep wrote:
> > On 11/26/2012 03:48 AM, Steven Jan Springl wrote:
> >> I cannot find the above commit.
> > 
> > Correct commit is e7dee420eead7930bbfe3ac284a8a7715df56b3a.
> 
> Here is a follow-on patch that eliminates some undesirable side effects
> of the above commit.
> 
> Thanks,
> -Tom
Tom

Confirmed, the patches correct the original issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov