Shorewall devel - Apr 2013 - Shorewall 4.5.16 Beta 2

Beta 2 is now available for testing.

Problems corrected since Beta 1:

1)  Previously, the TOS target and tos match did not work on older
    iptables versions such as 1.3.5 in RHEL5-based distributions. That
    has been corrected. To correct this problem, a new capability (New
    tos Match) was created, so users of these old distros will need to
    regenerate the capabilities files from those systems.

New Features since Beta 1:

1)  A new INLINE action has been added. This action allows defining
    arbitrary iptables rules in the blrules and rules files, as well as
    in action and macro bodies.

    The basic form of an INLINE rule is as follows:

    	INLINE	<src> <dst> <proto> ... ; <iptables matches and
jump>

    The <iptables matches and jump> are added to the rule generated by
    the contents of the other supplied columns. Given the
''raw'' nature
    of this action, you should examine the rule generated by the entry
    (e.g., ''shorewall check -r'') prior to attempting a
''start'' or
    ''restart'' operation.

    Example:

        INLINE  $FW   net   tcp   1234  ; -j SETCTX --name foo

    This entry generates the following:

        -A fw2net -p 6 --dport 1234 -j SETCTX --name foo

    As part of this change, a new ''builtin'' action type has
been added.
    ip[6]tables targets not supported by Shorewall (such as
''SETCTX'' in
    the example above), must be defined in your
    /etc/shorewall[6]/actions file:

    Example:

       SETCTX	builtin

    Such builtin actions may only be used in INLINE action invocations;
    they may not appear in the ACTION column of a rule.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom

In the attached config. blrules entry:

blacklog  lan:1.1.1.0/24  all  icmp  8

Produces the following error message:

ERROR: Unknown rule target (A_DROP) /etc/shorewall2A25/blrules (line 16)

Note, this worked in 4.5.16-Beta1 and prior releases.

Steven.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/10/2013 02:27 PM, Steven Jan Springl wrote:
> In the attached config. blrules entry:
> 
> blacklog  lan:1.1.1.0/24  all  icmp  8
> 
> Produces the following error message:
> 
> ERROR: Unknown rule target (A_DROP) /etc/shorewall2A25/blrules (line 16)
> 
> Note, this worked in 4.5.16-Beta1 and prior releases.
It didn''t produce an error in earlier releases but it didn''t
generate
correct rules either :-( I suspect that you may find more cases.

Patch attached.

Thanks Steven!

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> 1)  A new INLINE action has been added. This action allows defining
>     arbitrary iptables rules in the blrules and rules files, as well as
>     in action and macro bodies.
>
>     The basic form of an INLINE rule is as follows:
>
>     	INLINE	<src> <dst> <proto> ... ; <iptables
matches and jump>
>   
I get this when compiling:

Compiling /usr/share/shorewall/action.INLINE for chain INLINE...
   ERROR: Bareword "get_action_chain" not allowed while "strict
subs" in
use at /usr/share/shorewall/action.INLINE line 16.
Bareword "get_inline_matches" not allowed while "strict
subs" in use at
/usr/share/shorewall/action.INLINE line 17.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/10/13 5:36 PM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>> 1)  A new INLINE action has been added. This action allows defining
>>     arbitrary iptables rules in the blrules and rules files, as well as
>>     in action and macro bodies.
>>
>>     The basic form of an INLINE rule is as follows:
>>
>>     	INLINE	<src> <dst> <proto> ... ; <iptables
matches and jump>
>>   
>I get this when compiling:
>
>Compiling /usr/share/shorewall/action.INLINE for chain INLINE...
>   ERROR: Bareword "get_action_chain" not allowed while
"strict subs" in
>use at /usr/share/shorewall/action.INLINE line 16.
>Bareword "get_inline_matches" not allowed while "strict
subs" in use at
>/usr/share/shorewall/action.INLINE line 17.
Can you create a tarball of your /usr/share/shorewall directory and send
it please? A fresh install here doesn''t product that error.

Thanks,
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> Can you create a tarball of your /usr/share/shorewall directory and send
> it please? A fresh install here doesn''t product that error.
>   
Attached and sent privately.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/10/13 5:51 PM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>> Can you create a tarball of your /usr/share/shorewall directory and
send
>> it please? A fresh install here doesn''t product that error.
>>   
>Attached and sent privately.
Sorry -- I didn''t take into account that you are running Fedora -- I
need
${PERLLIB}/Shorewall as well.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> Sorry -- I didn''t take into account that you are running Fedora --
I need
> ${PERLLIB}/Shorewall as well.
>   
Attached and sent privately.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

You place your own version of actions in /usr/share/shorewall/ ?


On 4/10/13 6:13 PM, Mr Dash Four wrote:
> 
>> Sorry -- I didn''t take into account that you are running
Fedora -- I need
>> ${PERLLIB}/Shorewall as well.
>>   
> Attached and sent privately.
> 
> 
>
------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
> 

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

I don''t understand what is going on with your installation. I moved
those two directories into their proper places on Debian; replaced your
shorewallrc file with mine, modified my capabilities file to claim
AUDIT_TARGET support, and INLINE works fine.

I guess we can try ''shorewall trace -vv check > trace''; the
''trace'' file
might show me something...

On 4/10/13 6:13 PM, Mr Dash Four wrote:
> 
>> Sorry -- I didn''t take into account that you are running
Fedora -- I need
>> ${PERLLIB}/Shorewall as well.
>>   
> Attached and sent privately.
> 
> 
>
------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Shorewall-devel mailing list
> Shorewall-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-devel
> 

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> You place your own version of actions in /usr/share/shorewall/ ?
>   
Yes, by my recollection that would be 2 of these - Drop and Reject, so?


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> I guess we can try ''shorewall trace -vv check >
trace''; the ''trace'' file
> might show me something...
>   
rules
~~~~~
INLINE $FW net ; -j SECCTX --name test

trace
~~~~~
[...]
IN===> INLINE fw net ; -j SECCTX --name test
                NF-(N)-> filter:INLINE         
                NF-(!O1)-> filter:INLINE       
Checking /usr/share/shorewall/action.INLINE for chain INLINE...
CD===> ?FORMAT 2
IN===> DEFAULTS -
IN===> use strict;
IN===> use Shorewall::Chains;
IN===> use Shorewall::Rules;
IN===>
IN===> my $chainref = get_action_chain;
IN===> my $rule     = get_inline_matches;
IN===>
IN===> add_rule( $chainref, $rule, '''' );
IN===>
IN===> allow_optimize( $chainref );
IN===>
IN===> ?END PERL;

stdout
~~~~~~
[...]
   ERROR: Bareword "get_action_chain" not allowed while "strict
subs" in
use at /usr/share/shorewall/action.INLINE line 16.
Bareword "get_inline_matches" not allowed while "strict
subs" in use at
/usr/share/shorewall/action.INLINE line 17.
 at /usr/share/perl5/Shorewall/Config.pm line 1254
    Shorewall::Config::fatal_error1(''Bareword
"get_action_chain" not
allowed while "strict subs" i...'') called at 
/usr/share/perl5/Shorewall/Config.pm line 2805
    Shorewall::Config::embedded_perl(undef) called at 
/usr/share/perl5/Shorewall/Config.pm line 3094
    Shorewall::Config::read_a_line(-1) called at 
/usr/share/perl5/Shorewall/Rules.pm line 1717
    Shorewall::Rules::process_action(''HASH(0x1a409d0)'',
''fw2net'') called
at /usr/share/perl5/Shorewall/Rules.pm line 2423
    Shorewall::Rules::process_rule(undef, '''',
''INLINE'', '''', ''fw'',
''net'',
''-'', ''-'', ''-'', ...) called
at /usr/share/perl5/Shorewall/Rules.pm line 3032
    Shorewall::Rules::process_raw_rule() called at 
/usr/share/perl5/Shorewall/Rules.pm line 3205
    Shorewall::Rules::process_rules(0) called at 
/usr/share/perl5/Shorewall/Compiler.pm line 821
    Shorewall::Compiler::compiler(''script'',
'''', ''directory'', '''',
''verbosity'', 2, ''timestamp'', 0,
''debug'', ...) called at
/usr/libexec/shorewall/compiler.pl line 145


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/10/13 6:40 PM, Mr Dash Four wrote:
> 
>> I guess we can try ''shorewall trace -vv check >
trace''; the ''trace'' file
>> might show me something...
>>   
> rules
> ~~~~~
> INLINE $FW net ; -j SECCTX --name test
> 
> trace
> ~~~~~
> [...]
> IN===> INLINE fw net ; -j SECCTX --name test
>                 NF-(N)-> filter:INLINE         
>                 NF-(!O1)-> filter:INLINE       
> Checking /usr/share/shorewall/action.INLINE for chain INLINE...
> CD===> ?FORMAT 2
> IN===> DEFAULTS -
> IN===> use strict;
> IN===> use Shorewall::Chains;
> IN===> use Shorewall::Rules;
> IN===>
> IN===> my $chainref = get_action_chain;
> IN===> my $rule     = get_inline_matches;
> IN===>
> IN===> add_rule( $chainref, $rule, '''' );
> IN===>
> IN===> allow_optimize( $chainref );
> IN===>
> IN===> ?END PERL;
> 
> stdout
> ~~~~~~
> [...]
>    ERROR: Bareword "get_action_chain" not allowed while
"strict subs" in
> use at /usr/share/shorewall/action.INLINE line 16.
> Bareword "get_inline_matches" not allowed while "strict
subs" in use at
> /usr/share/shorewall/action.INLINE line 17.
>  at /usr/share/perl5/Shorewall/Config.pm line 1254
>     Shorewall::Config::fatal_error1(''Bareword
"get_action_chain" not
> allowed while "strict subs" i...'') called at 
> /usr/share/perl5/Shorewall/Config.pm line 2805
>     Shorewall::Config::embedded_perl(undef) called at 
> /usr/share/perl5/Shorewall/Config.pm line 3094
>     Shorewall::Config::read_a_line(-1) called at 
> /usr/share/perl5/Shorewall/Rules.pm line 1717
>     Shorewall::Rules::process_action(''HASH(0x1a409d0)'',
''fw2net'') called
> at /usr/share/perl5/Shorewall/Rules.pm line 2423
>     Shorewall::Rules::process_rule(undef, '''',
''INLINE'', '''', ''fw'',
''net'',
> ''-'', ''-'', ''-'', ...)
called at /usr/share/perl5/Shorewall/Rules.pm line 3032
>     Shorewall::Rules::process_raw_rule() called at 
> /usr/share/perl5/Shorewall/Rules.pm line 3205
>     Shorewall::Rules::process_rules(0) called at 
> /usr/share/perl5/Shorewall/Compiler.pm line 821
>     Shorewall::Compiler::compiler(''script'',
'''', ''directory'', '''',
> ''verbosity'', 2, ''timestamp'', 0,
''debug'', ...) called at
> /usr/libexec/shorewall/compiler.pl line 145
> 
Try applying the attached patch.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> Try applying the attached patch.
>   
Yep, that did the trick. I am going to do a (very) light testing and 
will continue tomorrow as I ran out of time...


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> Yep, that did the trick. I am going to do a (very) light testing and 
> will continue tomorrow as I ran out of time...
1.

rules
~~~~~
INLINE $FW net ; -m mickey-mouse --name test

produces:

[...]
:INLINE - [0:0]
[...]
-A INLINE -m mickey -mouse --name test

2.

rules
~~~~~
INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mickey-mouse --name test

produces:

[...]
:INLINE - [0:0]
[...]
-A fw2net -j INLINE
-A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -j INLINE

Ignoring the above lines, shouldn''t I get an error instead?

3.

rules
~~~~~
INLINE $FW net tcp ; --dport 1234 -m mickey-mouse --name test

produces:

[...]
:INLINE - [0:0]
[...]
-A INLINE --dport 1234 -m mickey -mouse --name test

4.

rules
~~~~~
INLINE $FW net tcp - ; -p 17 --dport 2345 -j SECCTX --name test

produces:

[...]
:INLINE - [0:0]
[...]
-A INLINE -p 17 --dport 2345 -j SECCTX --name test

5.

rules
~~~~~
INLINE $FW net - - ; -j SECCTX --name test

produces:

-A fw2net -j SECCTX --name test

which is correct, but shouldn''t that produce an error as there are 2 
trailing dashes (-) before ";"? More thorough testing tomorrow...

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/10/13 7:12 PM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>> Yep, that did the trick. I am going to do a (very) light testing and
>> will continue tomorrow as I ran out of time...
>1.
>
>rules
>~~~~~
>INLINE $FW net ; -m mickey-mouse --name test
>
>produces:
>
>[...]
>:INLINE - [0:0]
>[...]
>-A INLINE -m mickey -mouse --name test
>
>2.
>
>rules
>~~~~~
>INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mickey-mouse --name test
>
>produces:
>
>[...]
>:INLINE - [0:0]
>[...]
>-A fw2net -j INLINE
>-A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -j INLINE
>
>Ignoring the above lines, shouldn''t I get an error instead?
>
>3.
>
>rules
>~~~~~
>INLINE $FW net tcp ; --dport 1234 -m mickey-mouse --name test
>
>produces:
>
>[...]
>:INLINE - [0:0]
>[...]
>-A INLINE --dport 1234 -m mickey -mouse --name test
>
>4.
>
>rules
>~~~~~
>INLINE $FW net tcp - ; -p 17 --dport 2345 -j SECCTX --name test
>
>produces:
>
>[...]
>:INLINE - [0:0]
>[...]
>-A INLINE -p 17 --dport 2345 -j SECCTX --name test
>
>5.
>
>rules
>~~~~~
>INLINE $FW net - - ; -j SECCTX --name test
>
>produces:
>
>-A fw2net -j SECCTX --name test
>
>which is correct, but shouldn''t that produce an error as there are
2
>trailing dashes (-) before ";"? More thorough testing tomorrow...
Yep -- there are significant issues. Don''t test more until Beta 3.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/10/13 7:59 PM, Tom Eastep wrote:
> On 4/10/13 7:12 PM, "Mr Dash Four"
<mr.dash.four@googlemail.com> wrote:
> 
>>
>>> Yep, that did the trick. I am going to do a (very) light testing
and
>>> will continue tomorrow as I ran out of time...
>> 1.
>>
>> rules
>> ~~~~~
>> INLINE $FW net ; -m mickey-mouse --name test
>>
>> produces:
>>
>> [...]
>> :INLINE - [0:0]
>> [...]
>> -A INLINE -m mickey -mouse --name test
>>
>> 2.
>>
>> rules
>> ~~~~~
>> INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mickey-mouse --name test
>>
>> produces:
>>
>> [...]
>> :INLINE - [0:0]
>> [...]
>> -A fw2net -j INLINE
>> -A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -j INLINE
>>
>> Ignoring the above lines, shouldn''t I get an error instead?
>>
>> 3.
>>
>> rules
>> ~~~~~
>> INLINE $FW net tcp ; --dport 1234 -m mickey-mouse --name test
>>
>> produces:
>>
>> [...]
>> :INLINE - [0:0]
>> [...]
>> -A INLINE --dport 1234 -m mickey -mouse --name test
>>
>> 4.
>>
>> rules
>> ~~~~~
>> INLINE $FW net tcp - ; -p 17 --dport 2345 -j SECCTX --name test
>>
>> produces:
>>
>> [...]
>> :INLINE - [0:0]
>> [...]
>> -A INLINE -p 17 --dport 2345 -j SECCTX --name test
>>
>> 5.
>>
>> rules
>> ~~~~~
>> INLINE $FW net - - ; -j SECCTX --name test
>>
>> produces:
>>
>> -A fw2net -j SECCTX --name test
>>
>> which is correct, but shouldn''t that produce an error as there
are 2
>> trailing dashes (-) before ";"? More thorough testing
tomorrow...
> 
> Yep -- there are significant issues. Don''t test more until Beta 3.
> 
Although some of the issues are corrected by this simple patch.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Thursday 11 Apr 2013 00:08:33 Tom Eastep wrote:
> On 04/10/2013 02:27 PM, Steven Jan Springl wrote:
> > In the attached config. blrules entry:
> > 
> > blacklog  lan:1.1.1.0/24  all  icmp  8
> > 
> > Produces the following error message:
> > 
> > ERROR: Unknown rule target (A_DROP) /etc/shorewall2A25/blrules (line
16)
> > 
> > Note, this worked in 4.5.16-Beta1 and prior releases.
> 
> It didn''t produce an error in earlier releases but it
didn''t generate
> correct rules either :-( I suspect that you may find more cases.
> 
> Patch attached.
> 
> Thanks Steven!
> 
> -Tom
Tom

Confirmed, the patch fixes the issue.

--------------------------------------------------------------------------------------------------

In the attached config, an interface has the option ''maclist''
and the rules file
contains:

A_DROP:warn  lan  all  tcp  99

This produces the following error message:

Compiling MAC Filtration -- Phase 2...
   ERROR: Unknown rule target (A_DROP)

Steven.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 04:53 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue.
Thanks.
> 
>
--------------------------------------------------------------------------------------------------
> 
> In the attached config, an interface has the option
''maclist'' and the rules file
> contains:
> 
> A_DROP:warn  lan  all  tcp  99
> 
> This produces the following error message:
> 
> Compiling MAC Filtration -- Phase 2...
>    ERROR: Unknown rule target (A_DROP)
> 
The attached patch corrects the problem.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/10/2013 07:12 PM, Mr Dash Four wrote:
> 
>> Yep, that did the trick. I am going to do a (very) light testing and 
>> will continue tomorrow as I ran out of time...
My comments assume that the last simply patch that I posted last night
has been installed.
> 1.
> 
> rules
> ~~~~~
> INLINE $FW net ; -m mickey-mouse --name test
> 
> produces:
> 
> [...]
> :INLINE - [0:0]
> [...]
> -A INLINE -m mickey -mouse --name test

-A fw2net -m mickey -mouse --name test
> 
> 2.
> 
> rules
> ~~~~~
> INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mickey-mouse --name test
> 
> produces:
> 
> [...]
> :INLINE - [0:0]
> [...]
> -A fw2net -j INLINE
I presume that rule was produced by your entry in 1 above.
> -A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -j INLINE
> 
> Ignoring the above lines, shouldn''t I get an error instead?
What error would you expect?

With the patch, this rule now produces:

:$INLINE [0:0]
...
-A %INLINE -m mickey-mouse --name test
...
-A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -j %INLINE

The current optimizer isn''t combining those rules which I will try to
correct in the coming days.
> 
> 3.
> 
> rules
> ~~~~~
> INLINE $FW net tcp ; --dport 1234 -m mickey-mouse --name test
> 
> produces:But if I can get the optimizer to work in this case, it should
generate a workable rule.
> 
> [...]
> :INLINE - [0:0]
> [...]
> -A INLINE --dport 1234 -m mickey -mouse --name test
> 
With the patch, you get:

:%INLINE1 - [0:0]
...
-A %INLINE1 --dport 1234 -m mickey -mouse --name test
...
-A fw2net -p 6 -j %INLINE1

Which clearly doesn''t work. On the other hand, the -p match and
it''s
option (--dport) are split between the columnar and raw parts of the
rule, which isn''t something I would want to spend any time worrying
about.
> 4.
> 
> rules
> ~~~~~
> INLINE $FW net tcp - ; -p 17 --dport 2345 -j SECCTX --name test
> 
> produces:
> 
> [...]
> :INLINE - [0:0]
> [...]
> -A INLINE -p 17 --dport 2345 -j SECCTX --name test
It now produces:

%INLINE2 - [0:0]
...
-A %INLINE2 -p 17 --dport 2345 -j SECCTX --name test
...
-A fw2net -p 6 -j %INLINE1

Here, the fact that INLINE is implemented as an action is apparent. The
optimizer knows that it can''t combine rules with different protocols,
so
it leaves the rule unoptimized.

I realize that isn''t what I indicated in an earlier email, but
that''s
the way it works.
> 
> 5.
> 
> rules
> ~~~~~
> INLINE $FW net - - ; -j SECCTX --name test
> 
> produces:
> 
> -A fw2net -j SECCTX --name test
> 
> which is correct, but shouldn''t that produce an error as there are
2
> trailing dashes (-) before ";"?
No -- you can have as many trailing dashes as there are remaining
columns in a rules file entry.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom Eastep wrote:
> On 04/10/2013 07:12 PM, Mr Dash Four wrote:
>   
>>> Yep, that did the trick. I am going to do a (very) light testing
and
>>> will continue tomorrow as I ran out of time...
>>>       
>
> My comments assume that the last simply patch that I posted last night
> has been installed.
>   
Which one? You''ve posted two patches: INLINE.patch (which I applied, 
re-tested and reported back with the above comment) and SET1.patch 
(which I haven''t done anything with yet as I am not at home).

As far as SET1.patch goes, I see another "use Shorewall::Config" is be
added to action.INLINE, which was what your earlier INLINE.patch did - 
should I then reverse INLINE.patch and then apply SET1.patch, or should 
I just delete the first hunk in SET1.patch and then apply it?
>> 1.
>>
>> rules
>> ~~~~~
>> INLINE $FW net ; -m mickey-mouse --name test
>>
>> produces:
>>
>> [...]
>> :INLINE - [0:0]
>> [...]
>> -A INLINE -m mickey -mouse --name test
>>     
>
>
> -A fw2net -m mickey -mouse --name test
>
>   
>> 2.
>>
>> rules
>> ~~~~~
>> INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mickey-mouse --name test
>>
>> produces:
>>
>> [...]
>> :INLINE - [0:0]
>> [...]
>> -A fw2net -j INLINE
>>     
>
> I presume that rule was produced by your entry in 1 above.
>   
No, you''ve messed up the email quotation somehow...

In case 1 above, I have "INLINE $FW net ; -m mickey-mouse --name
test",
which should produce "-A fw2net -m mickey-mouse --name test" (note the
absence of space between "mickey" and "-mouse"), but it
produces jump to
a new chain (called INLINE) with a single rule in it: "-m mickey -mouse 
--name test" (note the extra space). So, what I expected to happen was:  
1) not to see this extra "INLINE" chain created; 2) not to see an
extra
space added between "mickey" and "-mouse", which transforms
the whole
match into something completely different (or, if "-" is not allowed
in
match names, then I expected to see an error raised by shorewall). So, 
that''s about case 1 above.

With case 2, my understanding was that <src> and <dst> from your 
announcement were for specifying zones only and that nothing else is 
allowed there, hence why I reported this.

Also, and that is a common "theme" throughout all reported cases, when
I
specify INLINE in my "rules", I expected a single statement to be
added
to the current chain (fw2net in all the cases I tested so far) with 
whatever I specified as parameters/arguments. That does not happen.

I don''t see the reason why an extra chain (defined %INLINE or whatever 
you wish to call it) needs to be created with an extra jump to whatever 
I specified as a rule to be added - it is much simpler to just construct 
the rule and add it to the current chain (fw2net in this case) instead 
and be done with it. In other words, I expected to see:

"-A fw2net -m mickey-mouse --name test" in case 1 (instead of the new 
INLINE chain, a single rule, which was wrong anyway, added to it, as 
well as the additional jump to the INLINE chain). In case 2, I expected 
to see an error, given my assumptions above.
>> -A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -j INLINE
>>
>> Ignoring the above lines, shouldn''t I get an error instead?
>>     
>
> What error would you expect?
>   
See above.
> With the patch, this rule now produces:
>
> :$INLINE [0:0]
> ...
> -A %INLINE -m mickey-mouse --name test
> ...
> -A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -j %INLINE
>
> The current optimizer isn''t combining those rules which I will try
to
> correct in the coming days.
>   
Precisely! The "INLINE" chain should have never been created in the 
first place. The base premise on which INLINE as a feature was added was 
that whatever is after ";" needs to be appended to the "-A
<chain>" (I
didn''t even want anything else after <src> and <dst>, but
if shorewall
could combine both that was fine with me too). Simply put - I did not 
expect to see all this "-j %INLINE" malarkey.
>> 3.
>>
>> rules
>> ~~~~~
>> INLINE $FW net tcp ; --dport 1234 -m mickey-mouse --name test
>>
>> produces:But if I can get the optimizer to work in this case, it should
generate a workable rule.
>>
>> [...]
>> :INLINE - [0:0]
>> [...]
>> -A INLINE --dport 1234 -m mickey -mouse --name test
>>
>>     
>
> With the patch, you get:
>
> :%INLINE1 - [0:0]
> ...
> -A %INLINE1 --dport 1234 -m mickey -mouse --name test
> ...
> -A fw2net -p 6 -j %INLINE1
>
> Which clearly doesn''t work. On the other hand, the -p match and
it''s
> option (--dport) are split between the columnar and raw parts of the
> rule, which isn''t something I would want to spend any time
worrying about.
>   
Well, exactly and it is why I was for anything else specified after 
<src> and <dst> and before ";" to raise an error - simply
because
shorewall won''t be able to always get it right (the above being a case 
in point). The rule should have been "INLINE $FW net ; -p tcp --dport 
1234 -m mickey-mouse --name test" which should produce "-A fw2net -p
tcp
--dport 1234 -m mickey-mouse --name test". Anything in between is asking 
for trouble.
>> 4.
>>
>> rules
>> ~~~~~
>> INLINE $FW net tcp - ; -p 17 --dport 2345 -j SECCTX --name test
>>
>> produces:
>>
>> [...]
>> :INLINE - [0:0]
>> [...]
>> -A INLINE -p 17 --dport 2345 -j SECCTX --name test
>>     
>
> It now produces:
>
> %INLINE2 - [0:0]
> ...
> -A %INLINE2 -p 17 --dport 2345 -j SECCTX --name test
> ...
> -A fw2net -p 6 -j %INLINE1
>
> Here, the fact that INLINE is implemented as an action is apparent. The
> optimizer knows that it can''t combine rules with different
protocols, so
> it leaves the rule unoptimized.
>   
Shouldn''t that produce an error because I am trying to fit two protocol
matches in a single rule (tcp and udp)? The above still won''t work
though.
> I realize that isn''t what I indicated in an earlier email, but
that''s
> the way it works.
>   
Again, I don''t see the need for this extra %INLINE chain, but you 
already know that.
>> 5.
>>
>> rules
>> ~~~~~
>> INLINE $FW net - - ; -j SECCTX --name test
>>
>> produces:
>>
>> -A fw2net -j SECCTX --name test
>>
>> which is correct, but shouldn''t that produce an error as there
are 2
>> trailing dashes (-) before ";"?
>>     
>
> No -- you can have as many trailing dashes as there are remaining
> columns in a rules file entry.
>   
Didn''t know that, thanks.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 08:52 AM, Mr Dash Four wrote:
> 
> Tom Eastep wrote:
>> On 04/10/2013 07:12 PM, Mr Dash Four wrote:
>>   
>>>> Yep, that did the trick. I am going to do a (very) light
testing and
>>>> will continue tomorrow as I ran out of time...
>>>>       
>>
>> My comments assume that the last simply patch that I posted last night
>> has been installed.
>>   
> Which one? You''ve posted two patches: INLINE.patch (which I
applied,
> re-tested and reported back with the above comment) and SET1.patch 
> (which I haven''t done anything with yet as I am not at home).
> 
> As far as SET1.patch goes, I see another "use Shorewall::Config"
is be
> added to action.INLINE, which was what your earlier INLINE.patch did - 
> should I then reverse INLINE.patch and then apply SET1.patch, or should 
> I just delete the first hunk in SET1.patch and then apply it?
>
...

I''ve come up with a much simpler and understandable implementation.
I''ll
upload Beta 3 shortly.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Thursday 11 Apr 2013 14:22:02 Tom Eastep wrote:
> On 04/11/2013 04:53 AM, Steven Jan Springl wrote:
> > Confirmed, the patch fixes the issue.
> 
> Thanks.
> 
> >
-------------------------------------------------------------------------
> > -------------------------
> > 
> > In the attached config, an interface has the option
''maclist'' and the
> > rules file contains:
> > 
> > A_DROP:warn  lan  all  tcp  99
> > 
> > This produces the following error message:
> > 
> > Compiling MAC Filtration -- Phase 2...
> > 
> >    ERROR: Unknown rule target (A_DROP)
> 
> The attached patch corrects the problem.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch fixes the issue.

----------------------------------------------------------------------------------

The attached minimal config. produces the following error message:

Generating Rule Matrix...
   ERROR: Unknown rule target (NONE)

Steven.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 09:16 AM, Steven Jan Springl wrote:
> 
> The attached minimal config. produces the following error message:
> 
> Generating Rule Matrix...
>    ERROR: Unknown rule target (NONE)
> 
Patch attached.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Thursday 11 Apr 2013 17:34:54 Tom Eastep wrote:
> On 04/11/2013 09:16 AM, Steven Jan Springl wrote:
> > The attached minimal config. produces the following error message:
> > 
> > Generating Rule Matrix...
> > 
> >    ERROR: Unknown rule target (NONE)
> 
> Patch attached.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch corrects the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 10:42 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patch corrects the issue.
> 
Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter