RC 1 is now available for testing.
Problems corrected since Beta 5:
1) Under very rare circumstances, optimize level 4 could leave a rule
that jumped to a non-existant chain, causing iptables-restore to
fail.
2) If an error was raised while compiling a default action, the
following Perl diagnostic could appear and the Shorewall error
message would not be printed.
3) It is once again possible to use DNS names in rules without an
interface name.
New Features since Beta 5:
1) A new DEFER_DNS_RESOLUTION option has been added to shorewall.conf.
Up to this time, when a DNS name appears in the SOURCE, DEST or
ORIGINAL DEST column of a configuration file, the compiler verifies
that the name can be resolved and then passes the name on to the
generated script. This means that ip[6]tables-restore must resolve
the name when the script runs.
When DEFER_DNS_RESOLUTION=Yes (the default) this old behavior is
retained. When DEFER_DNS_RESOLUTION=No, the compiler resolves the
name and uses the address(es) in the generated script.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
and more. Get SQL Server skills now (including 2012) with LearnDevNow -
200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only - learn more at:
http://p.sf.net/sfu/learnmore_122512
On Tue, 15 Jan 2013 09:50:32 -0800 Tom Eastep <teastep@shorewall.net> wrote:> Thank you for testing,Testing of 4.5.12-RC1 done here. No regressions found on generated script and CLEAR_TC=Yes fix for interfaces with @ looks good. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
On 01/15/2013 11:35 PM, Tuomo Soini wrote:> On Tue, 15 Jan 2013 09:50:32 -0800 > Tom Eastep <teastep@shorewall.net> wrote: > >> Thank you for testing, > > Testing of 4.5.12-RC1 done here. No regressions found on generated > script and CLEAR_TC=Yes fix for interfaces with @ looks good.Thanks Tuomo, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
Tom In the attached config. When the accounting file contains: COUNT eth0:1.1.1.1!2.2.2.2 eth1 tcp http and DEFER_DNS_RESOLUTION=Yes the following valid iptables rules are generated: -A accounting -p 6 --dport 80 -s 1.1.1.1 -i eth0 -o eth1 -j ~excl0 -A ~excl0 -s 2.2.2.2 -j RETURN -A ~excl0 With DEFER_DNS_RESOLUTION=No the following error message is produced: ERROR: Unknown Host (1.1.1.1!2.2.2.2) /etc/shorewall2A15/accounting (line 13) Steven. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712
On 01/17/2013 02:25 PM, Steven Jan Springl wrote:> In the attached config. > > When the accounting file contains: > > COUNT eth0:1.1.1.1!2.2.2.2 eth1 tcp http > > and DEFER_DNS_RESOLUTION=Yes the following valid iptables rules are generated: > > -A accounting -p 6 --dport 80 -s 1.1.1.1 -i eth0 -o eth1 -j ~excl0 > -A ~excl0 -s 2.2.2.2 -j RETURN > -A ~excl0 > > With DEFER_DNS_RESOLUTION=No the following error message is produced: > > ERROR: Unknown Host (1.1.1.1!2.2.2.2) /etc/shorewall2A15/accounting (line 13)The attached patch corrects the problem. Thanks Steven, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712
On Thursday 17 Jan 2013 23:28:51 Tom Eastep wrote:> On 01/17/2013 02:25 PM, Steven Jan Springl wrote: > > In the attached config. > > > > When the accounting file contains: > > > > COUNT eth0:1.1.1.1!2.2.2.2 eth1 tcp http > > > > and DEFER_DNS_RESOLUTION=Yes the following valid iptables rules are > > generated: > > > > -A accounting -p 6 --dport 80 -s 1.1.1.1 -i eth0 -o eth1 -j ~excl0 > > -A ~excl0 -s 2.2.2.2 -j RETURN > > -A ~excl0 > > > > With DEFER_DNS_RESOLUTION=No the following error message is produced: > > > > ERROR: Unknown Host (1.1.1.1!2.2.2.2) /etc/shorewall2A15/accounting (line > > 13) > > The attached patch corrects the problem. > > Thanks Steven, > > -TomTom Confirmed, the patch fixes the problem. Thanks. Steven. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712
On 1/17/13 3:36 PM, "Steven Jan Springl" <steven@springl.ukfsn.org> wrote:> >Confirmed, the patch fixes the problem. >Thanks Steven, -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
Tom In the attached config. When DEFER_DNS_RESOLUTION=Yes Shorewall accepts the following rules: ACCEPT lan:!+[!set1] dmz tcp 23 ACCEPT lan:!+[!set1,set2] dmz tcp 23 ACCEPT lan:!+[set1,!set2] dmz tcp 23 ACCEPT lan:+[!set1,!set2] dmz tcp 23 When DEFER_DNS_RESOLUTION=No Shorewall rejects all off the rules with the following error message: ERROR: Invalid host list ......................... Steven. ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
On 01/18/2013 01:53 PM, Steven Jan Springl wrote:> Tom > > In the attached config. > > When DEFER_DNS_RESOLUTION=Yes Shorewall accepts the following rules: > > ACCEPT lan:!+[!set1] dmz tcp 23 > ACCEPT lan:!+[!set1,set2] dmz tcp 23 > ACCEPT lan:!+[set1,!set2] dmz tcp 23 > ACCEPT lan:+[!set1,!set2] dmz tcp 23 > > When DEFER_DNS_RESOLUTION=No Shorewall rejects all off the rules with the > following error message: > > ERROR: Invalid host list ......................... >Thanks, Steven This is turning into a ball of glue. I think I''ll revert the DEFER_DNS_RESOLUTION changes for 4.5.12 and attack it again in 4.5.13. Please keep your tests available for testing that release. Thanks again, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
On Friday 18 Jan 2013 23:32:06 Tom Eastep wrote:> On 01/18/2013 01:53 PM, Steven Jan Springl wrote: > > Tom > > > > In the attached config. > > > > When DEFER_DNS_RESOLUTION=Yes Shorewall accepts the following rules: > > > > ACCEPT lan:!+[!set1] dmz tcp 23 > > ACCEPT lan:!+[!set1,set2] dmz tcp 23 > > ACCEPT lan:!+[set1,!set2] dmz tcp 23 > > ACCEPT lan:+[!set1,!set2] dmz tcp 23 > > > > When DEFER_DNS_RESOLUTION=No Shorewall rejects all off the rules with the > > following error message: > > > > ERROR: Invalid host list ......................... > > Thanks, Steven > > This is turning into a ball of glue. I think I''ll revert the > DEFER_DNS_RESOLUTION changes for 4.5.12 and attack it again in 4.5.13. > Please keep your tests available for testing that release. > > Thanks again, > -TomTom No problem. I have completed my testing with DEFER_DNS_RESOLUTION=Yes. Do you intend to release RC2 with DEFER_DNS_RSOLUTION reverted? Steven. ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912
On 1/18/13 4:01 PM, Steven Jan Springl wrote:> On Friday 18 Jan 2013 23:32:06 Tom Eastep wrote: >> This is turning into a ball of glue. I think I''ll revert the >> DEFER_DNS_RESOLUTION changes for 4.5.12 and attack it again in 4.5.13. >> Please keep your tests available for testing that release. >> >> Thanks again,> No problem. > > I have completed my testing with DEFER_DNS_RESOLUTION=Yes. > > Do you intend to release RC2 with DEFER_DNS_RSOLUTION reverted?I don''t think it is necessary. The active code for DEFER_DNS_RESOLUTION is a single block of code in one function. Thanks again Steven, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912