Shorewall users - Nov 2005 - bug in 3.0 macro code?

hi,
after i start to migrate to 3.0 and check the new config files i''ve got
this error. it seems the new macro code somehow do the zone:ip extension
in a wrong order. ie in stread of net:1.2.3.4 it use 1.2.3.4:net.
it was worked with the old actions in 2.x.
yours.

---------------------------------------
# /sbin/shorewall check
.......
.....Expanding Macro /etc/shorewall/macro.SunBooks...
    ERROR: Undefined Server Zone in rule "ACCEPT loc 1.2.3.4:net tcp
http,https - - - -"
---------------------------------------
the coresponding /etc/shorewall/macro.SunBooks (without the comments):
---------------------------------------
PARAM    -              $NCS_IP         tcp     http,https
---------------------------------------
and in params $NCS_IP is 1.2.3.4, while in rules:
---------------------------------------
SunBooks/ACCEPT loc                     net
---------------------------------------

-- 
   Levente                               "Si vis pacem para bellum!"



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click

On Tuesday 15 November 2005 02:02, Farkas Levente wrote:
> hi,
> after i start to migrate to 3.0 and check the new config files
i''ve got
> this error. it seems the new macro code somehow do the zone:ip extension
> in a wrong order. ie in stread of net:1.2.3.4 it use 1.2.3.4:net.
> it was worked with the old actions in 2.x.
> yours.
The code is working as documented at http://shorewall.net/Macros.html. When a 
SOURCE or DEST occurs in both the macro body and in the macro''s
invocation.
the final value is <value in macro body>:<value in invocation>. See
the SMTP
example in the article.

With SunBooks as an action, all loc->net traffic would have been passed 
through the action then only that http,https traffic destined for 1.2.3.4 
would have been accepted.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> On Tuesday 15 November 2005 02:02, Farkas Levente wrote:
> 
>>hi,
>>after i start to migrate to 3.0 and check the new config files
i''ve got
>>this error. it seems the new macro code somehow do the zone:ip extension
>>in a wrong order. ie in stread of net:1.2.3.4 it use 1.2.3.4:net.
>>it was worked with the old actions in 2.x.
>>yours.
> 
> 
> The code is working as documented at http://shorewall.net/Macros.html. When
a
> SOURCE or DEST occurs in both the macro body and in the macro''s
invocation.
> the final value is <value in macro body>:<value in invocation>.
See the SMTP
> example in the article.
ok. so my comment that while it was worked as an action it''s no longer 
work as a macro. which means i can''t define ip in macro and zone in the
rule file.
in the current case there is one http server which is well-known broken 
(an old ibm websphere server) and do not work through any proxy, but we 
need to access to this server. so we allow direct access to this one 
dedicated host for a few clients. that''s why we create the action/macro
and in rules file we only define the clients, so we only need to change 
the rules file (and never the action/macro).
> With SunBooks as an action, all loc->net traffic would have been passed 
> through the action then only that http,https traffic destined for 1.2.3.4 
> would have been accepted.
yes, but that''s what i want and it was worked.

-- 
   Levente                               "Si vis pacem para bellum!"


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click

On Tuesday 15 November 2005 08:17, Farkas Levente wrote:
>
> yes, but that''s what i want and it was worked.
So why change it? Actions will be supported in the future -- they
aren''t going
away. Do you think that everyone who has parameterized macros working today 
should have to change them because you have one case which you can''t
convert
from an action to a macro? I don''t thing so....

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Farkas Levente wrote:
> Tom Eastep wrote:
> 
>> On Tuesday 15 November 2005 02:02, Farkas Levente wrote:
>>
>>> hi,
>>> after i start to migrate to 3.0 and check the new config files
i''ve got
>>> this error. it seems the new macro code somehow do the zone:ip
extension
>>> in a wrong order. ie in stread of net:1.2.3.4 it use 1.2.3.4:net.
>>> it was worked with the old actions in 2.x.
>>> yours.
>>
>>
>>
>> The code is working as documented at http://shorewall.net/Macros.html. 
>> When a SOURCE or DEST occurs in both the macro body and in the
macro''s
>> invocation. the final value is <value in macro body>:<value in
>> invocation>. See the SMTP example in the article.
> 
> 
> ok. so my comment that while it was worked as an action it''s no
longer
> work as a macro. which means i can''t define ip in macro and zone
in the
> rule file.
> in the current case there is one http server which is well-known broken 
> (an old ibm websphere server) and do not work through any proxy, but we 
> need to access to this server. so we allow direct access to this one 
> dedicated host for a few clients. that''s why we create the
action/macro
> and in rules file we only define the clients, so we only need to change 
> the rules file (and never the action/macro).
what''s more i can''t write net:1.2.3.4 into the macro file
since in this
case i''ve got such error:
---------------------------------------
.....Expanding Macro /etc/shorewall/macro.SunBooks...
    ERROR: Only DNAT, SAME and REDIRECT rules may specify destination 
port mapping; rule "ACCEPT loc net:1.2.3.4: tcp http,https - - - -"
---------------------------------------
or
---------------------------------------
.....Expanding Macro /etc/shorewall/macro.SunBooks...
    ERROR: Only DNAT, SAME and REDIRECT rules may specify destination 
port mapping; rule "ACCEPT loc net:1.2.3.4:- tcp http,https - - - -"
---------------------------------------


-- 
   Levente                               "Si vis pacem para bellum!"


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click

On Tuesday 15 November 2005 08:56, Farkas Levente wrote:
>
> what''s more i can''t write net:1.2.3.4 into the macro file
since in this
> case i''ve got such error:
> ---------------------------------------
> .....Expanding Macro /etc/shorewall/macro.SunBooks...
>     ERROR: Only DNAT, SAME and REDIRECT rules may specify destination
> port mapping; rule "ACCEPT loc net:1.2.3.4: tcp http,https - - -
-"
> ---------------------------------------
> or
> ---------------------------------------
> .....Expanding Macro /etc/shorewall/macro.SunBooks...
>     ERROR: Only DNAT, SAME and REDIRECT rules may specify destination
> port mapping; rule "ACCEPT loc net:1.2.3.4:- tcp http,https - - -
-"
> ---------------------------------------
Please test the ''firewall'' script in
http://lists.shorewall.net/Farkas/ (place
it in /usr/share/shorewall/firewall). It tries to get the fields assembled in 
''Farkas order'' without breaking compatibility with the
configurations of
people who assumed that the Macro documentation was correct.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tuesday 15 November 2005 09:21, Tom Eastep wrote:
> On Tuesday 15 November 2005 08:56, Farkas Levente wrote:
> > what''s more i can''t write net:1.2.3.4 into the macro
file since in this
> > case i''ve got such error:
> > ---------------------------------------
> > .....Expanding Macro /etc/shorewall/macro.SunBooks...
> >     ERROR: Only DNAT, SAME and REDIRECT rules may specify destination
> > port mapping; rule "ACCEPT loc net:1.2.3.4: tcp http,https - - -
-"
> > ---------------------------------------
> > or
> > ---------------------------------------
> > .....Expanding Macro /etc/shorewall/macro.SunBooks...
> >     ERROR: Only DNAT, SAME and REDIRECT rules may specify destination
> > port mapping; rule "ACCEPT loc net:1.2.3.4:- tcp http,https - - -
-"
> > ---------------------------------------
>
> Please test the ''firewall'' script in
http://lists.shorewall.net/Farkas/
> (place it in /usr/share/shorewall/firewall). It tries to get the fields
> assembled in ''Farkas order'' without breaking
compatibility with the
> configurations of people who assumed that the Macro documentation was
> correct.
And it also corrects the bug that you reported above.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> in the current case there is one http server which is well-known broken 
> (an old ibm websphere server) and do not work through any proxy, but we 
> need to access to this server. so we allow direct access to this one 
> dedicated host for a few clients. that''s why we create the
action/macro
> and in rules file we only define the clients, so we only need to change 
> the rules file (and never the action/macro).
First of all, there is no need to transform any Action into a Macro,
unless it will speed up things [1]. Macros are still supported and there
is no plan to get rid of it either.

The best case for you probably depends on the number of clients you
allow access to this server. If you have a couple of clients, the best
solution maybe is to stick to the Actions and "reverse" it.

I mean, having the allowed clients in the Action and the DEST server in
the rules file. That way around any given packet needs to be checked
against one rule only, and only if it actually matches the DEST the
packet gets handed to this Action chain to further check against allowed
hosts.

In the case of Macros, remember that you will have all Macros expanded
inline in the rules file, thus maybe causing a lot of matches before the
packet finally reaches other rules or policy.

Just a thought, hope I''m not too way off the track. ;)

-Karsten


[1] http://shorewall.net/Macros.html#id2509628


-- 
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      <http://www.catb.org/~esr/faqs/smart-questions.html>
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>

On Tue, 2005-11-15 at 18:33 +0100, Karsten Bräckelmann
wrote:
> First of all, there is no need to transform any Action into a Macro,
> unless it will speed up things [1]. Macros are still supported and there
                                      ^^^^^^
> is no plan to get rid of it either.
GAR, make that "Actions".

-Karsten


-- 
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      <http://www.catb.org/~esr/faqs/smart-questions.html>
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>