4.5.12 Beta 4 is now available for testing.
Problems Corrected since Beta 3:
1) A number of problems with processing the arprules file have been
corrected.
2) Inline actions in the RELATED and ESTABLISHED sections now work
correctly.
3) The ''dropInvalid'' built-in function now works correctly.
4) The compiler now generates an error when a protocol list is used in
a context where only a single protocol name/number is accepted.
New Features since Beta 3:
1) The interpretation of the log tag when LOGTAGONLY=Yes is changed.
Previously, the log tag replaced the chain name in the generated
log prefix. Now, the tag is interpreted as a chain name and a
disposition separated by a comma.
So this rule:
LOG:info:foo,bar
will generate the following log prefix when using the default
LOGFORMAT setting:
Shorewall:foo:bar:
Similarly,
LOG:info:,bar net fw
will generate
Shorewall:net2fw:bar:
2) Rules generated by the RELATED section of the rules file are now in
separate chains. For each pair of zones (za,zb), RELATED
connections are handled by a chain whose name is "+za2zb"
(ZONE_SEPARATOR=2) or "+za-zb"
(ZONE_SEPARATOR=''-''). This results
in only one state match to jump to the new chain rather than a
state match for every rule in the section.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412
On 01/07/2013 08:14 AM, Tom Eastep wrote:> 4.5.12 Beta 4 is now available for testing. > > Problems Corrected since Beta 3: > > 1) A number of problems with processing the arprules file have been > corrected. > > 2) Inline actions in the RELATED and ESTABLISHED sections now work > correctly. > > 3) The ''dropInvalid'' built-in function now works correctly. > > 4) The compiler now generates an error when a protocol list is used in > a context where only a single protocol name/number is accepted.Note: In RC 1, protocol lists will be accepted in the secmarks and tcrules files. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412
On 01/07/2013 08:48 AM, Tom Eastep wrote:> On 01/07/2013 08:14 AM, Tom Eastep wrote: >> 4.5.12 Beta 4 is now available for testing. >> >> Problems Corrected since Beta 3: >> >> 1) A number of problems with processing the arprules file have been >> corrected. >> >> 2) Inline actions in the RELATED and ESTABLISHED sections now work >> correctly. >> >> 3) The ''dropInvalid'' built-in function now works correctly. >> >> 4) The compiler now generates an error when a protocol list is used in >> a context where only a single protocol name/number is accepted. > > Note: In RC 1, protocol lists will be accepted in the secmarks and > tcrules files.As long as I am at it, these files will also support protocol lists: accounting conntrack masq stoppedrules tcpri tcfilters -tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412
Tom Specifying an SNAT:mac-address arprule: SNAT:11:22:33:44:55:66 eth0:1.1.1.1 - 1 produces the following error message: ERROR: Invalid IP Address (11:22:33:44:55:66) /etc/shorewall2A11/arprules (line 15) Steven. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412
On 01/07/2013 03:25 PM, Steven Jan Springl wrote:> Specifying an SNAT:mac-address arprule: > > SNAT:11:22:33:44:55:66 eth0:1.1.1.1 - 1 > > produces the following error message: > > ERROR: Invalid IP Address (11:22:33:44:55:66) /etc/shorewall2A11/arprules > (line 15) >Steven, Changing the source MAC address is SMAT, not SNAT -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412
On Monday 07 Jan 2013 23:51:43 Tom Eastep wrote:> On 01/07/2013 03:25 PM, Steven Jan Springl wrote: > > Specifying an SNAT:mac-address arprule: > > > > SNAT:11:22:33:44:55:66 eth0:1.1.1.1 - 1 > > > > produces the following error message: > > > > ERROR: Invalid IP Address (11:22:33:44:55:66) /etc/shorewall2A11/arprules > > (line 15) > > Steven, > > Changing the source MAC address is SMAT, not SNAT > > -TomTom Sorry, I should wear my glasses when reading. Steven. ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
Tom
Arprules entry:
SMATX:11:22:33:44:55:66 eth0:1.1.1.1 - 1
Produces the following error messages:
Use of uninitialized value in subroutine entry at
/usr/share/shorewall/Shorewall/ARP.pm line 172, <$currentfile> line 18.
Can''t use string ("") as a subroutine ref while "strict
refs" in use at
/usr/share/shorewall/Shorewall/ARP.pm line 172, <$currentfile> line 18.
------------------------------------------------------------------------------------------
Arprules entry:
DMATC:11:22:33:44:55:66 eth0:1.1.1.1 - 1
Produces the following error message:
ERROR: The DMATC ACTION does not allow a new address
/etc/shorewall2A11/arprules (line 20)
------------------------------------------------------------------------------------------
Arprules entry:
DMATC eth0:1.1.1.1 - 1
Produces the following error message:
ERROR: Invalid ACTION (DMATC) /etc/shorewall2A11/arprules (line 21)
------------------------------------------------------------------------------------------
The arprules man page refers to action DNAC, should that not be DNATC?
------------------------------------------------------------------------------------------
Note: arptables-save seems to convert any IP addresses that it can to DNS
entries.
Steven.
------------------------------------------------------------------------------
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) with LearnDevNow -
200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only - learn more at:
http://p.sf.net/sfu/learnmore_122512
On 01/07/2013 05:00 PM, Steven Jan Springl wrote:> Tom > > Arprules entry: > > SMATX:11:22:33:44:55:66 eth0:1.1.1.1 - 1 > > Produces the following error messages: > > Use of uninitialized value in subroutine entry at > /usr/share/shorewall/Shorewall/ARP.pm line 172, <$currentfile> line 18. > > Can''t use string ("") as a subroutine ref while "strict refs" in use at > /usr/share/shorewall/Shorewall/ARP.pm line 172, <$currentfile> line 18.Patch ARPRULES1.patch corrects this issue.> > ------------------------------------------------------------------------------------------ > > Arprules entry: > > DMATC:11:22:33:44:55:66 eth0:1.1.1.1 - 1 > > Produces the following error message: > > ERROR: The DMATC ACTION does not allow a new address > /etc/shorewall2A11/arprules (line 20)Patch ARPRULES2.patch corrects this problem.> > ------------------------------------------------------------------------------------------ > > Arprules entry: > > DMATC eth0:1.1.1.1 - 1 > > Produces the following error message: > > ERROR: Invalid ACTION (DMATC) /etc/shorewall2A11/arprules (line 21)Patch ARPRULES2.patch also corrects this problem.> > ------------------------------------------------------------------------------------------ > > The arprules man page refers to action DNAC, should that not be DNATC?Yes. Thanks.> > ------------------------------------------------------------------------------------------ > > Note: arptables-save seems to convert any IP addresses that it can to DNS > entries.Yep -- doesn''t seem to support a -n option. Thanks Steven, -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
On 01/07/2013 06:32 PM, Tom Eastep wrote:> On 01/07/2013 05:00 PM, Steven Jan Springl wrote:>> >> Arprules entry: >> >> DMATC eth0:1.1.1.1 - 1 >> >> Produces the following error message: >> >> ERROR: Invalid ACTION (DMATC) /etc/shorewall2A11/arprules (line 21) > > Patch ARPRULES2.patch also corrects this problem.Although adding ARPRULES3.patch produces a clearer error message. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
On Tuesday 08 Jan 2013 02:48:10 Tom Eastep wrote:> On 01/07/2013 06:32 PM, Tom Eastep wrote: > > On 01/07/2013 05:00 PM, Steven Jan Springl wrote: > >> Arprules entry: > >> > >> DMATC eth0:1.1.1.1 - 1 > >> > >> Produces the following error message: > >> > >> ERROR: Invalid ACTION (DMATC) /etc/shorewall2A11/arprules (line 21) > > > > Patch ARPRULES2.patch also corrects this problem. > > Although adding ARPRULES3.patch produces a clearer error message. > > Thanks, > -TomTom Confirmed, the patches fix the issues. Thanks. Steven. ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
On 01/08/2013 04:42 AM, Steven Jan Springl wrote:> > Confirmed, the patches fix the issues. >Thank you Steven, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512
Tom I submitted a bug report to the netfilter team for arptables-save converting IP addresses to DNS entries. The netfilter team have just responded: It seems that change is already in the git tree. Upgrade to current git snapshot or wait for that release that Bart promised. Steven. ------------------------------------------------------------------------------ Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS and more. Get SQL Server skills now (including 2012) with LearnDevNow - 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only - learn more at: http://p.sf.net/sfu/learnmore_122512