Shorewall devel - Apr 2013 - Shorewall 4.5.16 Beta 3

Beta 3 is now available for testing.

It corrects several problems reported by Steven Springl. It also
re-implements the INLINE action to resolve the many issues raised by Mr
Dash Four.

One thing to keep in mind; in INLINE rules that contain a ''-j''
part,
that part must be last. The compiler assumes that everything past
''-j''
is the rule target and options.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom Eastep wrote:
> Beta 3 is now available for testing.
>
> It corrects several problems reported by Steven Springl. It also
> re-implements the INLINE action to resolve the many issues raised by Mr
> Dash Four.
>
> One thing to keep in mind; in INLINE rules that contain a
''-j'' part,
> that part must be last. The compiler assumes that everything past
''-j''
> is the rule target and options.
>   
That''s fine (I always assumed that to be the case anyway).

So has anything changed in terms of how the INLINE statement is 
specified? Should I assume that the %INLINE chain business is now gone? 
Am I going to be allowed to specify SOURCE and DEST properties (like 
$FW:10.1.1.1 for example) and anything afterwards or is that not 
permitted? What about "partial" matches (like case 3 in my previous
report)?

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 11:09 AM, Mr Dash Four wrote:
> 
> 
> Tom Eastep wrote:
>> Beta 3 is now available for testing.
>>
>> It corrects several problems reported by Steven Springl. It also
>> re-implements the INLINE action to resolve the many issues raised by Mr
>> Dash Four.
>>
>> One thing to keep in mind; in INLINE rules that contain a
''-j'' part,
>> that part must be last. The compiler assumes that everything past
''-j''
>> is the rule target and options.
>>   
> That''s fine (I always assumed that to be the case anyway).
> 
> So has anything changed in terms of how the INLINE statement is 
> specified?
No.
> Should I assume that the %INLINE chain business is now gone? 
Yes.
> Am I going to be allowed to specify SOURCE and DEST properties (like 
> $FW:10.1.1.1 for example) and anything afterwards or is that not 
> permitted?
Yes.
> What about "partial" matches (like case 3 in my previous report)?
> 
That works. And your test case 4 now fails with an appropriate error
message.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom Eastep wrote:
> On 04/11/2013 11:09 AM, Mr Dash Four wrote:
>   
>> Tom Eastep wrote:
>>     
>>> Beta 3 is now available for testing.
>>>
>>> It corrects several problems reported by Steven Springl. It also
>>> re-implements the INLINE action to resolve the many issues raised
by Mr
>>> Dash Four.
>>>
>>> One thing to keep in mind; in INLINE rules that contain a
''-j'' part,
>>> that part must be last. The compiler assumes that everything past
''-j''
>>> is the rule target and options.
>>>   
>>>       
>> That''s fine (I always assumed that to be the case anyway).
>>
>> So has anything changed in terms of how the INLINE statement is 
>> specified?
>>     
>
> No.
>
>   
>> Should I assume that the %INLINE chain business is now gone? 
>>     
>
> Yes.
>
>   
>> Am I going to be allowed to specify SOURCE and DEST properties (like 
>> $FW:10.1.1.1 for example) and anything afterwards or is that not 
>> permitted?
>>     
>
> Yes.
>
>   
>> What about "partial" matches (like case 3 in my previous
report)?
>>
>>     
>
> That works. And your test case 4 now fails with an appropriate error
> message.
>   
All good. I''ll have more time later when I get home and will be able to
give it a more thorough testing this time.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Thursday 11 Apr 2013 18:03:55 Tom Eastep wrote:
> Beta 3 is now available for testing.
> 
> It corrects several problems reported by Steven Springl. It also
> re-implements the INLINE action to resolve the many issues raised by Mr
> Dash Four.
> 
> One thing to keep in mind; in INLINE rules that contain a
''-j'' part,
> that part must be last. The compiler assumes that everything past
''-j''
> is the rule target and options.
> 
> Thank you for testing,
> -Tom
Tom

Rule:

A_ACCEPT!  lan  all  tcp  99

Produces the following error message:

ERROR: Unknown ACTION (A_ACCEPT!) /etc/shorewall2A26/rules (line 19)

Steven.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 01:23 PM, Steven Jan Springl wrote:
> On Thursday 11 Apr 2013 18:03:55 Tom Eastep wrote:
>> Beta 3 is now available for testing
> 
> Rule:
> 
> A_ACCEPT!  lan  all  tcp  99
> 
> Produces the following error message:
> 
> ERROR: Unknown ACTION (A_ACCEPT!) /etc/shorewall2A26/rules (line 19)
> 
The attached patch fixes it.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Thursday 11 Apr 2013 21:36:32 Tom Eastep wrote:
> On 04/11/2013 01:23 PM, Steven Jan Springl wrote:
> > On Thursday 11 Apr 2013 18:03:55 Tom Eastep wrote:
> >> Beta 3 is now available for testing
> > 
> > Rule:
> > 
> > A_ACCEPT!  lan  all  tcp  99
> > 
> > Produces the following error message:
> > 
> > ERROR: Unknown ACTION (A_ACCEPT!) /etc/shorewall2A26/rules (line 19)
> 
> The attached patch fixes it.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom

Rule:

INLINE:warn  lan  all  tcp  99

produces the following messages:

Use of uninitialized value $target in hash element at 
/usr/share/shorewall/Shorewall/Chains.pm line 2127, <$currentfile> line
19.

Use of uninitialized value $target in hash element at 
/usr/share/shorewall/Shorewall/Chains.pm line 2128, <$currentfile> line
19.

Steven.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/11/2013 01:59 PM, Steven Jan Springl wrote:
> Tom
> 
> Rule:
> 
> INLINE:warn  lan  all  tcp  99
> 
> produces the following messages:
> 
> Use of uninitialized value $target in hash element at 
> /usr/share/shorewall/Shorewall/Chains.pm line 2127, <$currentfile>
line 19.
> 
> Use of uninitialized value $target in hash element at 
> /usr/share/shorewall/Shorewall/Chains.pm line 2128, <$currentfile>
line 19.
> 
Steven,

I''ve corrected this in my tree but the patch won''t apply on
your system.

I''ve attached the entire Rules.pm file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Thursday 11 Apr 2013 22:13:28 Tom Eastep wrote:
> On 04/11/2013 01:59 PM, Steven Jan Springl wrote:
> > Tom
> > 
> > Rule:
> > 
> > INLINE:warn  lan  all  tcp  99
> > 
> > produces the following messages:
> > 
> > Use of uninitialized value $target in hash element at
> > /usr/share/shorewall/Shorewall/Chains.pm line 2127,
<$currentfile> line
> > 19.
> > 
> > Use of uninitialized value $target in hash element at
> > /usr/share/shorewall/Shorewall/Chains.pm line 2128,
<$currentfile> line
> > 19.
> 
> Steven,
> 
> I''ve corrected this in my tree but the patch won''t apply
on your system.
> 
> I''ve attached the entire Rules.pm file.
> 
> -Tom
Tom

Confirmed, the replacement Rules.pm file fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Mr Dash Four wrote:
> All good. I''ll have more time later when I get home and will be
able
> to give it a more thorough testing this time.
So far (much better results this time!)...


1.
rules
~~~~~
INLINE $FW net ; -j SECCTX --name test2

produces what was expected, but it is worth noting that I do *not* have 
"SECCTX builtin" in my "actions" (not that I am complaining,
of course -
I like it!)

2.
rules
~~~~~
INLINE $FW net ; -m mickey-mouse --name test2

produces

-A fw2net -m mickey -mouse --name test2

Note the space between "mickey" and "-mouse" - I expected
either "-A
fw2net -m mickey-mouse --name test2" or an error if match names in 
iptables cannot have a dash (-)

3.
rules
~~~~~
INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mouse --name test2

produces

-A fw2net -s 10.1.1.1 -m mouse --name test2 -m set --match-set 
mickey-mouse dst

Now, I would like to have the bit after ";" appear last (in other
words,
appended to the "normal" shorewall statement) and not, as it is in the
above example, slammed in the middle.

Why is this important? Because some matches (nfacct "match" being a 
prime example of that "technique") are not really "matches"
(they always
return true) and therefore, if I have a similar match to the nfacct 
"match" (I do use 2 such "custom" matches here), then the
whole rule
logic is going to be screwed up. In other words:

INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mouse --name test2

should produce

-A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -m mouse 
--name test2 (correct, as "-m mouse" executes only if "-s
10.1.1.1"
*and* "-m set --match-set mickey-mouse dst" return true)

and not produce

-A fw2net -s 10.1.1.1 -m mouse --name test2 -m set --match-set 
mickey-mouse dst (incorrect, as "-m mouse --name test2" executes when 
"-s 10.1.1.1" is satisfied, but the ipset match has not been checked
yet).

4.
rules
~~~~~
INLINE $FW net tcp - 2345 ; -j SSS --dport 1234 -m mouse --name test2

produces

-A fw2net -p 6 --dport 1234 --sport 2345 -m mouse --name test2 -j SSS

Shouldn''t the above raise an error as after the "-j"
everything should
be considered parameters to the target specified - SSS in the above example?

Not that I am complaining, because "-m" normally indicates the start
of
a match and "--dport" is also a "standard" match as well, so
I suspect
shorewall parses everything after ";" (and does that pretty well, it 
seems), which is illustrated by this test case:

rules
~~~~~
INLINE $FW net tcp - 2345 ; -j SSS --test2 1234 -m mouse --name test2

produces

-A fw2net -p 6 --sport 2345 -m mouse --name test2 -j SSS --test2 1234


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/11/13 4:07 PM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>Mr Dash Four wrote:
>> All good. I''ll have more time later when I get home and will
be able
>> to give it a more thorough testing this time.
>So far (much better results this time!)...
>
>
>1.
>rules
>~~~~~
>INLINE $FW net ; -j SECCTX --name test2
>
>produces what was expected, but it is worth noting that I do *not* have
>"SECCTX builtin" in my "actions" (not that I am
complaining, of course -
>I like it!)
I have fixed that but my tree has advanced to the point that the patch
won''t apply to Beta 3.
>
>2.
>rules
>~~~~~
>INLINE $FW net ; -m mickey-mouse --name test2
>
>produces
>
>-A fw2net -m mickey -mouse --name test2
>
>Note the space between "mickey" and "-mouse" - I
expected either "-A
>fw2net -m mickey-mouse --name test2" or an error if match names in
>iptables cannot have a dash (-)
Patch attached.
>
>3.
>rules
>~~~~~
>INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mouse --name test2
>
>produces
>
>-A fw2net -s 10.1.1.1 -m mouse --name test2 -m set --match-set
>mickey-mouse dst
>
>Now, I would like to have the bit after ";" appear last (in other
words,
>appended to the "normal" shorewall statement) and not, as it is in
the
>above example, slammed in the middle.
>
>Why is this important? Because some matches (nfacct "match" being
a
>prime example of that "technique") are not really
"matches" (they always
>return true) and therefore, if I have a similar match to the nfacct
>"match" (I do use 2 such "custom" matches here), then
the whole rule
>logic is going to be screwed up. In other words:
>
>INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mouse --name test2
>
>should produce
>
>-A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -m mouse
>--name test2 (correct, as "-m mouse" executes only if "-s
10.1.1.1"
>*and* "-m set --match-set mickey-mouse dst" return true)
>
>and not produce
>
>-A fw2net -s 10.1.1.1 -m mouse --name test2 -m set --match-set
>mickey-mouse dst (incorrect, as "-m mouse --name test2" executes
when
>"-s 10.1.1.1" is satisfied, but the ipset match has not been
checked yet).
This is going to be surprisingly difficult. I''ll need some time to
determine what (if anything) is possible.
>
>4.
>rules
>~~~~~
>INLINE $FW net tcp - 2345 ; -j SSS --dport 1234 -m mouse --name test2
>
>produces
>
>-A fw2net -p 6 --dport 1234 --sport 2345 -m mouse --name test2 -j SSS
>
>Shouldn''t the above raise an error as after the "-j"
everything should
>be considered parameters to the target specified - SSS in the above
>example?
>
>Not that I am complaining, because "-m" normally indicates the
start of
>a match and "--dport" is also a "standard" match as
well, so I suspect
>shorewall parses everything after ";" (and does that pretty well,
it
>seems), which is illustrated by this test case:
>
>rules
>~~~~~
>INLINE $FW net tcp - 2345 ; -j SSS --test2 1234 -m mouse --name test2
>
>produces
>
>-A fw2net -p 6 --sport 2345 -m mouse --name test2 -j SSS --test2 1234
I think that I''ll leave this as it is. Shorewall understands --dport
which
is why this works the way it does.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/11/13 5:17 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>On 4/11/13 4:07 PM, "Mr Dash Four"
<mr.dash.four@googlemail.com> wrote:
>>
>>4.
>>rules
>>~~~~~
>>INLINE $FW net tcp - 2345 ; -j SSS --dport 1234 -m mouse --name test2
>>
>>produces
>>
>>-A fw2net -p 6 --dport 1234 --sport 2345 -m mouse --name test2 -j SSS
>>
>>Shouldn''t the above raise an error as after the "-j"
everything should
>>be considered parameters to the target specified - SSS in the above
>>example?
>>
>>Not that I am complaining, because "-m" normally indicates the
start of
>>a match and "--dport" is also a "standard" match as
well, so I suspect
>>shorewall parses everything after ";" (and does that pretty
well, it
>>seems), which is illustrated by this test case:
>>
>>rules
>>~~~~~
>>INLINE $FW net tcp - 2345 ; -j SSS --test2 1234 -m mouse --name test2
>>
>>produces
>>
>>-A fw2net -p 6 --sport 2345 -m mouse --name test2 -j SSS --test2 1234
>
>I think that I''ll leave this as it is. Shorewall understands
--dport which
>is why this works the way it does.
And it understands ''-m'', of course.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> I have fixed that but my tree has advanced to the point that the patch
> won''t apply to Beta 3.
>   
No worries - I liked the way it was, but I assume that would impact the 
performance (or not) of the optimiser, so I left it up to you whether to 
fix this.
>> 2.
>> rules
>> ~~~~~
>> INLINE $FW net ; -m mickey-mouse --name test2
>>
>> produces
>>
>> -A fw2net -m mickey -mouse --name test2
>>
>> Note the space between "mickey" and "-mouse" - I
expected either "-A
>> fw2net -m mickey-mouse --name test2" or an error if match names in
>> iptables cannot have a dash (-)
>>     
>
> Patch attached.
>   
Works as expected.
> This is going to be surprisingly difficult. I''ll need some time to
> determine what (if anything) is possible.
>   
If you can''t find an easy solution to this, not to worry - I could 
always include the entire rule after ";" and leave the bare minimum 
(<src> and <dst>) on the left side of ";". I am not sure
how this would
impact the optimiser though.
> I think that I''ll leave this as it is. Shorewall understands
--dport which
> is why this works the way it does.
>   
Yep, that''s good. In the meantime I found a few more:

5.
rules
~~~~~
INLINE:info $FW net ; -m mouse --name test2

produces

"ERROR: Invalid column/value pair (-m)"

6.
rules
~~~~~
INLINE $FW:10.1.1.1 net:+mickey-mouse ; ! -m mickey-mouse --name test2

produces

-A fw2net -s 10.1.1.1 -m mickey-mouse ! --name test2 -m set --match-set 
mickey-mouse dst

I presume the "!" will mess things up if I try other such
combinations,
so I am not fully testing this for the time being.


One query: are parameters accepted in the bit after ";"? Something
like
"INLINE $FW net ; ! -m my-owner --owner $MY_UID -j DROP"?

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/11/13 5:45 PM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>> Patch attached.
>>   
>Works as expected.
Thanks.
>
>> This is going to be surprisingly difficult. I''ll need some
time to
>> determine what (if anything) is possible.
>>   
>If you can''t find an easy solution to this, not to worry - I could
>always include the entire rule after ";" and leave the bare
minimum
>(<src> and <dst>) on the left side of ";". I am not
sure how this would
>impact the optimiser though.
The only possible issue will be multiple instances of the same match.
>
>> I think that I''ll leave this as it is. Shorewall understands
--dport
>>which
>> is why this works the way it does.
>>   
>Yep, that''s good. 
Thanks.
>In the meantime I found a few more:
>
>5.
>rules
>~~~~~
>INLINE:info $FW net ; -m mouse --name test2
>
>produces
>
>"ERROR: Invalid column/value pair (-m)"
Steven already reported that. I provided a fix in the form of an updated
Rules.pm file.
>
>6.
>rules
>~~~~~
>INLINE $FW:10.1.1.1 net:+mickey-mouse ; ! -m mickey-mouse --name test2
>
>produces
>
>-A fw2net -s 10.1.1.1 -m mickey-mouse ! --name test2 -m set --match-set
>mickey-mouse dst
>
>I presume the "!" will mess things up if I try other such
combinations,
>so I am not fully testing this for the time being.
The compiler actually did the ''right'' thing there, even though
what you
entered was not valid iptables syntax.
>
>
>One query: are parameters accepted in the bit after ";"? Something
like
>"INLINE $FW net ; ! -m my-owner --owner $MY_UID -j DROP"?
Yes.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

>> If you can''t find an easy solution to this, not to worry - I
could
>> always include the entire rule after ";" and leave the bare
minimum
>> (<src> and <dst>) on the left side of ";". I am
not sure how this would
>> impact the optimiser though.
>>     
>
> The only possible issue will be multiple instances of the same match.
>   
You mean multiple instances after ";" or on both sides of
";"? Either
way, I would say shorewall have done a pretty good job of sanitising 
various silly combinations/scenarios, so allowing for multiple matches 
(which was expected any way, given the nature of INLINE) isn''t really a
big deal I would think.
>> 6.
>> rules
>> ~~~~~
>> INLINE $FW:10.1.1.1 net:+mickey-mouse ; ! -m mickey-mouse --name test2
>>
>> produces
>>
>> -A fw2net -s 10.1.1.1 -m mickey-mouse ! --name test2 -m set --match-set
>> mickey-mouse dst
>>
>> I presume the "!" will mess things up if I try other such
combinations,
>> so I am not fully testing this for the time being.
>>     
>
> The compiler actually did the ''right'' thing there, even
though what you
> entered was not valid iptables syntax.
>   
Yeah, I realised that as soon as I reported it. Shorewall should have at 
least warned me though.
>> One query: are parameters accepted in the bit after ";"?
Something like
>> "INLINE $FW net ; ! -m my-owner --owner $MY_UID -j DROP"?
>>     
>
> Yes.
>   
Yep, that was just tested as well. I''ll do a little more testing 
tomorrow during the day (it''s my day off, so I will have more time
then)
and report back if I find anything.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/11/13 7:47 PM, "Mr Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>>> If you can''t find an easy solution to this, not to worry -
I could
>>> always include the entire rule after ";" and leave the
bare minimum
>>> (<src> and <dst>) on the left side of ";". I
am not sure how this would
>>> impact the optimiser though.
>>>     
>>
>> The only possible issue will be multiple instances of the same match.
>>   
>You mean multiple instances after ";" or on both sides of
";"? Either
>way, I would say shorewall have done a pretty good job of sanitising
>various silly combinations/scenarios, so allowing for multiple matches
>(which was expected any way, given the nature of INLINE) isn''t
really a
>big deal I would think.
The part of the compiler that understands iptables doesn''t know what is
before '';'' and after; it sees one long rule.
>
>>> 6.
>>> rules
>>> ~~~~~
>>> INLINE $FW:10.1.1.1 net:+mickey-mouse ; ! -m mickey-mouse --name
test2
>>>
>>> produces
>>>
>>> -A fw2net -s 10.1.1.1 -m mickey-mouse ! --name test2 -m set
--match-set
>>> mickey-mouse dst
>>>
>>> I presume the "!" will mess things up if I try other such
combinations,
>>> so I am not fully testing this for the time being.
>>>     
>>
>> The compiler actually did the ''right'' thing there,
even though what you
>> entered was not valid iptables syntax.
>>   
>Yeah, I realised that as soon as I reported it. Shorewall should have at
>least warned me though.
I don''t think so. Remember that you are responsible for what follows
the
'';''
>
>>> One query: are parameters accepted in the bit after ";"?
Something like
>>> "INLINE $FW net ; ! -m my-owner --owner $MY_UID -j DROP"?
>>>     
>>
>> Yes.
>>   
>Yep, that was just tested as well. I''ll do a little more testing
>tomorrow during the day (it''s my day off, so I will have more time
then)
>and report back if I find anything.
Cool. I''ll be out of town this weekend (leaving at noon tomorrow).
I''ll
check in and probably do a bit of work but my weekend is aimed at tasting
good wine while eating good food :-)

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom Eastep wrote:
> On 4/11/13 7:47 PM, "Mr Dash Four"
<mr.dash.four@googlemail.com> wrote:
>
>   
>>>> If you can''t find an easy solution to this, not to
worry - I could
>>>> always include the entire rule after ";" and leave
the bare minimum
>>>> (<src> and <dst>) on the left side of
";". I am not sure how this would
>>>> impact the optimiser though.
>>>>     
>>>>         
>>> The only possible issue will be multiple instances of the same
match.
>>>   
>>>       
>> You mean multiple instances after ";" or on both sides of
";"? Either
>> way, I would say shorewall have done a pretty good job of sanitising
>> various silly combinations/scenarios, so allowing for multiple matches
>> (which was expected any way, given the nature of INLINE) isn''t
really a
>> big deal I would think.
>>     
>
> The part of the compiler that understands iptables doesn''t know
what is
> before '';'' and after; it sees one long rule.
>   
OK, apologies for this late reply, but I was "held up" with a few
other
issues. As far as this Beta goes though, the only issue which remains 
(at least from my point anyway) is that even if I tuck in everything 
after the ";" sign, shorewall still rearranges it:

rules
~~~~~
INLINE $FW net ; -m mickey-mouse --name test -m set --match-set test src 
-m mickey-mouse --name test2 -j SECCTX

produces

-A fw2net -m mickey-mouse --name test -m mickey-mouse --name test2 -m 
set --match-set test src -j SECCTX

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/13/13 9:37 AM, "Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>
>
>OK, apologies for this late reply, but I was "held up" with a few
other
>issues. As far as this Beta goes though, the only issue which remains
>(at least from my point anyway) is that even if I tuck in everything
>after the ";" sign, shorewall still rearranges it:
>
>rules
>~~~~~
>INLINE $FW net ; -m mickey-mouse --name test -m set --match-set test src
>-m mickey-mouse --name test2 -j SECCTX
>
>produces
>
>-A fw2net -m mickey-mouse --name test -m mickey-mouse --name test2 -m
>set --match-set test src -j SECCTX
I''ve worked on this a bit -- I think the best that is feasible is that
I
can keep the rules after the '';'' in there specified order.
Hope that is
sufficient.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> I''ve worked on this a bit -- I think the best that is feasible is
that I
> can keep the rules after the '';'' in there specified
order. Hope that is
> sufficient.
>   
Yeah, it would be, as long as that order is preserved. That''s an 
acceptable compromise, I think.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter