I found a minor problem in new logging system. New logging system limits zone-names effectively to 4 characters. If you have REJECT policy between 2 zones which have 5 characters long, here example ipsec zone, I iptables will give error because logprefix is limited to 29 characters. --log-prefix "Shorewall:ipsec2ipsec:1:REJECT:" So zone names should be limited to 4 characters or default logformat needs change. My fix was to change to: LOGFORMAT="Shw:%s:%d:%s:" But there still is limit to zone name length which needs to be enforced. -- Tuomo Soini <tis@foobar.fi> Linux and network services Foobar Oy <http://foobar.fi/>
Tom Eastep
2003-May-26 17:08 UTC
[Shorewall-users] Re: [Shorewall-devel] minor problem with shorewall-1.4.4
On Mon, 26 May 2003 13:14:36 +0300, Tuomo Soini <tis@foobar.fi> wrote:> I found a minor problem in new logging system.I wish I had never heard of Fireparse :-(((> > New logging system limits zone-names effectively to 4 characters. If you > have REJECT policy between 2 zones which have 5 characters long, here > example ipsec zone, I iptables will give error because logprefix is > limited to 29 characters. > > --log-prefix "Shorewall:ipsec2ipsec:1:REJECT:" > > So zone names should be limited to 4 characters or default logformat > needs change. My fix was to change to: > > LOGFORMAT="Shw:%s:%d:%s:" > > But there still is limit to zone name length which needs to be enforced. >There has always been a documented limit of 5. -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-May-27 10:35 UTC
[Shorewall-users] Re: [Shorewall-devel] minor problem with shorewall-1.4.4
On Mon, 26 May 2003 17:08:26 -0700, Tom Eastep <teastep@shorewall.net> wrote:>> >> New logging system limits zone-names effectively to 4 characters. If you >> have REJECT policy between 2 zones which have 5 characters long, here >> example ipsec zone, I iptables will give error because logprefix is >> limited to 29 characters. >> >> --log-prefix "Shorewall:ipsec2ipsec:1:REJECT:" >> >> So zone names should be limited to 4 characters or default logformat >> needs change. My fix was to change to: >> >> LOGFORMAT="Shw:%s:%d:%s:" >> >> But there still is limit to zone name length which needs to be enforced. >> > > There has always been a documented limit of 5. >I have placed a new ''shorewall.conf'' and ''firewall'' script in: ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4 The LOGFORMAT string is now examined for the substring ''%d''; if that sub- string is included, the logging rule number is included; if that substring is not present, then the logging rule is not included. In addition, the default value of LOGFORMAT is changed to ''Shorewall:%s:%d:" - this will produce the same format log messages as Shorewall 1.4.3 and earlier and will restore the maximum zone name length to 5. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net