RC 1 is now available for testing. Changes since Beta 6: 1) INLINE is now supported in the tcrules file. The INLINE action is also supported in the accounting and tcrules files. In the accounting file, INLINE is treated the same as COUNT in the with the exception that the freeform iptables input following the '';'' is appended to any matches generated by the column contents. INLINE is treated similarly in the tcrules file; that is, the freeform input following '';'' must specify the rule target, if any. In the accounting and tcrules files, INLINE does not accept a parameter. 2) The method of specifying that an nfacct object is incremented unconditionally has changed. Previously, the ''!'' followed the closing parenthesis: NFACCT(foo)! It now follows the object name: NFACCT(foo!) This allows unconditionally incrementing more than one object: NFACCT(foo!,bar!) As part of this change, nfacct object names may now contain the characters &, ^, %, and @ in addition to letters, digits and _. 3) Prior to the availability of BEGIN PERL....END PERL in configuration files, the only way to execute a chain-specific script was to create a script file with the same name as the chain and place it in a directory on the CONFIG_PATH. That facility has the drawback that the compiler will attempt to run a non-script file just because it has the same name as a chain. To disable this facility, a new CHAIN_SCRIPTS option has been added to shorewall[6].conf. The facility is disabled by setting CHAIN_SCRIPTS=No. If not specified or specified as the empty value, CHAIN_SCRIPTS=Yes is assumed for backward compatibility. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Tom Accounting file entry: INLINE - eth1 eth0 tcp 99 ; -m length --length 255 Generates iptables rule: -A accounting -p 6 --dport 99 -m length --length 255-i eth1 -o eth0 Which produces error message: iptables-restore v1.4.18: length: Argument to "--length" has unexpected characters near "-i". Note, I have applied NFACCTNAMES.patch from Beta 6. Steven. ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 04/26/2013 08:52 AM, Steven Jan Springl wrote:> Tom > > Accounting file entry: > > INLINE - eth1 eth0 tcp 99 ; -m length --length 255 > > Generates iptables rule: > > -A accounting -p 6 --dport 99 -m length --length 255-i eth1 -o eth0 > > Which produces error message: > > iptables-restore v1.4.18: length: Argument to "--length" has unexpected > characters near "-i". > > Note, I have applied NFACCTNAMES.patch from Beta 6.Attached is a patch that corrects this issue. It also centralizes validation of nfacct names. I would appreciate it if all who are testing nfacct would apply this patch. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> I would appreciate it if all who are testing nfacct would apply this patch. >I have a question: --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -235,15 +235,12 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) { require_capability ''NFACCT_MATCH'', ''The NFACCT action'', ''s''; $target = ''''; for ( my @objects = split_nfacct_list $1 ) { - if ( $_ =~ /^([\w%&@~]+)(!)?$/ ) { - if ( $2 ) { - $prerule .= "-m nfacct --nfacct-name $1 "; - } else { - $rule .= "-m nfacct --nfacct-name $1 "; - } - } else { - fatal_error "Invalid nfacct object name ($_)"; - } + validate_nfobject( $_, 1 ); + if ( s/!$// ) { + $prerule .= "-m nfacct --nfacct-name $_ "; + } else { + $rule .= "-m nfacct --nfacct-name $_ "; + } [...] --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm [...] +# +# Validate and register an nfacct object name +# + +sub validate_nfobject( $;$ ) { + my ( $name, $allowbang ) = @_; + + fatal_error "Invalid nfacct object name ($name)" unless $name =~ /^[-\w%&@~]+(!)?$/ && ( $allowbang || ! $1 ); + $nfobjects{$_} = 1; +} From what I can see, "validate_nfobject" adds the nfacct name to the nfobjects array. This wasn''t the case in Accounting.pm before as the object was just validated and (pre)rule was created. Is this intentional or have I got this wrong? ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Tom Eastep wrote:> RC 1 is now available for testing. >I just tried to download the source, but it looks as though the code there is from Beta6, even though it is labelled as "RC1". The patch you attached earlier in this thread won''t apply cleanly to this code - at least not without further tweaks. ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 04/26/2013 10:27 AM, Dash Four wrote:> > > Tom Eastep wrote: >> RC 1 is now available for testing. >> > I just tried to download the source, but it looks as though the code > there is from Beta6, even though it is labelled as "RC1". The patch you > attached earlier in this thread won''t apply cleanly to this code - at > least not without further tweaks.Crap. I created a 4.6.15 branch then continued to update master :-( I''ll upload RC2 it a bit. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 04/26/2013 10:32 AM, Tom Eastep wrote:> On 04/26/2013 10:27 AM, Dash Four wrote: >> >> >> Tom Eastep wrote: >>> RC 1 is now available for testing. >>> >> I just tried to download the source, but it looks as though the code >> there is from Beta6, even though it is labelled as "RC1". The patch you >> attached earlier in this thread won''t apply cleanly to this code - at >> least not without further tweaks. > > Crap. I created a 4.6.15 branch then continued to update master :-( >Make that 4.5.16... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
On 04/26/2013 09:54 AM, Dash Four wrote:> >> I would appreciate it if all who are testing nfacct would apply this patch. >> > I have a question: > > --- a/Shorewall/Perl/Shorewall/Accounting.pm > +++ b/Shorewall/Perl/Shorewall/Accounting.pm > @@ -235,15 +235,12 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) { > require_capability ''NFACCT_MATCH'', ''The NFACCT action'', ''s''; > $target = ''''; > for ( my @objects = split_nfacct_list $1 ) { > - if ( $_ =~ /^([\w%&@~]+)(!)?$/ ) { > - if ( $2 ) { > - $prerule .= "-m nfacct --nfacct-name $1 "; > - } else { > - $rule .= "-m nfacct --nfacct-name $1 "; > - } > - } else { > - fatal_error "Invalid nfacct object name ($_)"; > - } > + validate_nfobject( $_, 1 ); > + if ( s/!$// ) { > + $prerule .= "-m nfacct --nfacct-name $_ "; > + } else { > + $rule .= "-m nfacct --nfacct-name $_ "; > + } > [...] > --- a/Shorewall/Perl/Shorewall/Chains.pm > +++ b/Shorewall/Perl/Shorewall/Chains.pm > [...] > +# > +# Validate and register an nfacct object name > +# > + > +sub validate_nfobject( $;$ ) { > + my ( $name, $allowbang ) = @_; > + > + fatal_error "Invalid nfacct object name ($name)" unless $name =~ > /^[-\w%&@~]+(!)?$/ && ( $allowbang || ! $1 ); > + $nfobjects{$_} = 1; > +} > > From what I can see, "validate_nfobject" adds the nfacct name to the > nfobjects array. This wasn''t the case in Accounting.pm before as the > object was just validated and (pre)rule was created. Is this intentional > or have I got this wrong? >The registration of the nfacct object name was in 4.5.15 but had been dropped somewhere. This change simply re-added that registration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr