Shorewall users - Mar 2007 - CONTINUE policy not working

OK, I am stuck. I have installed the latest 2.6.20 kernel and turned on 
every imaginable netfilter option - have installed latest iptables 1.3.7 
- but, as soon as I try to use a CONTINUE policy, I just get :

    ...
    Applying Policies...
    iptables v1.3.7: Couldn''t load target
    `CONTINUE'':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open
    shared object file: No such file or directory

    Try `iptables -h'' or ''iptables --help'' for more
information.
       ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE" Failed
    Processing /etc/shorewall/stop ...
    /var/lib/shorewall/.start: line 211: source_ip_range: command not found
    /var/lib/shorewall/.start: line 212: dest_ip_range: command not found
    IP Forwarding Enabled
    Processing /etc/shorewall/stopped ...
    /sbin/shorewall: line 225: 24311 Terminated             
    ${VARDIR}/.start $debugging start

''shorewall check'' runs just fine, but a
''start'' results in the output above.

I''m just trying to do a simple nested-zone config, per the docs.

Here''s my capabilities :

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Not available
   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Extended CONNMARK Target: Available
   Connmark Match: Available
   Extended Connmark Match: Available
   Raw Table: Not available
   IPP2P Match: Not available
   CLASSIFY Target: Available
   Extended REJECT: Available
   Repeat match: Available
   MARK Target: Available
   Extended MARK Target: Available
   Mangle FORWARD Chain: Available
   Comments: Available


Tired of ripping my hair out - maybe there''s just something painfully 
obvious I''m missing - suggestions eagerly solicited.

thanks
Phil


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Phil Cordier wrote:
> OK, I am stuck. I have installed the latest 2.6.20 kernel and turned on
> every imaginable netfilter option - have installed latest iptables 1.3.7
> - but, as soon as I try to use a CONTINUE policy, I just get :
> 
>    ...
>    Applying Policies...
>    iptables v1.3.7: Couldn''t load target
>    `CONTINUE'':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot
open
>    shared object file: No such file or directory
> 
>    Try `iptables -h'' or ''iptables --help'' for
more information.
>       ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE"
Failed
>    Processing /etc/shorewall/stop ...
>    /var/lib/shorewall/.start: line 211: source_ip_range: command not found
>    /var/lib/shorewall/.start: line 212: dest_ip_range: command not found
>    IP Forwarding Enabled
>    Processing /etc/shorewall/stopped ...
>    /sbin/shorewall: line 225: 24311 Terminated               
> ${VARDIR}/.start $debugging start
This looks like a Shorewall bug -- Which version of Shorewall are you
running? (One important piece of information you forgot to include).

As pointed out at ''http://www.shorewall.net/support.htm#Guidelines, we
need
to see a trace to be able to help with these sorts of problems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Phil Cordier wrote:
>> OK, I am stuck. I have installed the latest 2.6.20 kernel and turned on
>> every imaginable netfilter option - have installed latest iptables
1.3.7
>> - but, as soon as I try to use a CONTINUE policy, I just get :
>>
>>    ...
>>    Applying Policies...
>>    iptables v1.3.7: Couldn''t load target
>>    `CONTINUE'':/usr/local/lib/iptables/libipt_CONTINUE.so:
cannot open
>>    shared object file: No such file or directory
>>
>>    Try `iptables -h'' or ''iptables --help''
for more information.
>>       ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE"
Failed
I''ve been able to reproduce this on 3.4.0 so I assume that is the
release
that you are running.

A patch to /usr/share/shorewall/compiler is attached (it may apply with an
offset unless you apply all 3.4.0 patches -- see
http://www.shorewall.net/pub/shorewall/3.4/shorewall-3.4.0/known_problems.txt).

>>    Processing /etc/shorewall/stop ...
>>    /var/lib/shorewall/.start: line 211: source_ip_range: command not
found
>>    /var/lib/shorewall/.start: line 212: dest_ip_range: command not
found
>
I''m concerned about the above messages. It means that somehow
source_ip_range() and dest_ip_range() are getting called out of a compiled
script which shouldn''t happen. Do you have anything in your
/etc/shorewall/stop file? Does this happen on a normal "shorewall
stop" or
only when you have a startup error in the compiled script?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hi Tom - thanks much for the patch - has done the trick (and greetings 
from Shoreline, we''re neighbors).
> I''ve been able to reproduce this on 3.4.0 so I assume that is the
release
> that you are running.
>   
Er, yes, apologies for the missing info.
>>>    Processing /etc/shorewall/stop ...
>>>    /var/lib/shorewall/.start: line 211: source_ip_range: command
not found
>>>    /var/lib/shorewall/.start: line 212: dest_ip_range: command not
found
>>>       
> I''m concerned about the above messages. It means that somehow
> source_ip_range() and dest_ip_range() are getting called out of a compiled
> script which shouldn''t happen. Do you have anything in your
> /etc/shorewall/stop file? Does this happen on a normal "shorewall
stop" or
> only when you have a startup error in the compiled script?
>   
It only happened with the startup error, ie when there was a CONTINUE 
policy, or IMPLICIT_CONTINUE=Yes was set in shorewall.conf - there''s 
nothing in my stop file...

On another note - I''m now having problems now with a wildcard entry for
VLAN interfaces in the interfaces file, when using multiple zones on an 
interface (ie, using the hosts file) - I''m trying :

-       eth1.*        detect            tcpflags,nosmurfs

I also tried :

-       eth1+       detect            tcpflags,nosmurfs
-       eth1.+        detect            tcpflags,nosmurfs

With my corresponding hosts file entries of :

foo1    eth1.2:192.168.168.0/24         tcpflags
foo2    eth1.3:192.168.169.0/24         tcpflags

But ''shorewall check'' is returning things like (with the +
sign) :

Validating hosts file...
   ERROR: Unknown interface (eth1.2) in record "foo1 
eth1.2:192.168.168.0/24 tcpflags"
Terminated

or (with the * ) :

Validating interfaces file...
/usr/share/shorewall/lib.config: line 372: eth1_*_broadcast=detect: 
command not found
/usr/share/shorewall/lib.config: line 373: eth1_*_zone=: command not found
/usr/share/shorewall/lib.config: line 374: eth1_*_options=tcpflags 
detectnets nosmurfs: command not found
Validating hosts file...
   ERROR: Unknown interface (eth1.2) in record "foo1 
eth1.2:192.168.168.0/24 tcpflags"
Terminated

(shorewall trace check output attached below).

Is this simply unsupported? Or am I approaching things incorrectly here? 
I have dozens of internal client subnets behind one interface, that I 
need separate zones for. I thought I could likely increase security by 
placing each client zone on a VLAN interface. If this is not allowed, 
the only other approach that I appear to see would be to place all the 
VLAN''d interfaces in one zone (not using the hosts file), and specify 
the access allowed to the clients by using the one zone and different 
VLAN interfaces alone in the rules file - this does not seem to provide 
quite the fine level of granularity and control via specifying policies 
for different zones in the policy file though...

PS: Tom I would not dare impinge upon your time, but if you might know a 
good Shorewall person preferably in our local Seattle area that would be 
available for a few hours of consulting work, I could really use some 
hands-on help getting this all up and running... I''m stumbling in the 
dark on some of this stuff... Thanks!!!

Regards,
Phil Cordier
















-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Phil Cordier wrote:
> Hi Tom - thanks much for the patch - has done the trick (and greetings
> from Shoreline, we''re neighbors).
Cool! (On both counts).
> 
> It only happened with the startup error, ie when there was a CONTINUE
> policy, or IMPLICIT_CONTINUE=Yes was set in shorewall.conf -
there''s
> nothing in my stop file...
Hmmm -- that''s worrisome since I can''t reproduce it under
those same
circumstances. I''ll try again.
> 
> -       eth1+       detect            tcpflags,nosmurfs
> -       eth1.+        detect            tcpflags,nosmurfs
> 
Those are correct syntax:
> With my corresponding hosts file entries of :
> 
> foo1    eth1.2:192.168.168.0/24         tcpflags
> foo2    eth1.3:192.168.169.0/24         tcpflags
> 
> But ''shorewall check'' is returning things like (with the
+ sign) :
> 
> Validating hosts file...
>   ERROR: Unknown interface (eth1.2) in record "foo1
> eth1.2:192.168.168.0/24 tcpflags"
This is expected behavior. The interface in a hosts entry much match the
entry in an Interfaces file exactly (Shorewall 4 will change that and allow
what you are trying to do). So you either must define each VLAN interface in
/etc/shorewall/interfaces or you must use one of the ...+ forms as follows:

/etc/shorewall/interfaces:

-       eth1.+        detect            tcpflags,nosmurfs

/etc/shorewall/hosts:

foo1    eth1.+:192.168.168.0/24         tcpflags
> 
> PS: Tom I would not dare impinge upon your time, but if you might know a
> good Shorewall person preferably in our local Seattle area that would be
> available for a few hours of consulting work, I could really use some
> hands-on help getting this all up and running... I''m stumbling in
the
> dark on some of this stuff... Thanks!!!
I''m afraid that I know of no one in the Seattle area that does
Shorewall
consulting.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Phil Cordier wrote:
>> Hi Tom - thanks much for the patch - has done the trick (and greetings
>> from Shoreline, we''re neighbors).
> 
> Cool! (On both counts).
> 
>> It only happened with the startup error, ie when there was a CONTINUE
>> policy, or IMPLICIT_CONTINUE=Yes was set in shorewall.conf -
there''s
>> nothing in my stop file...
> 
> Hmmm -- that''s worrisome since I can''t reproduce it under
those same
> circumstances. I''ll try again.
I''ll bet you have critical hosts defined in
/etc/shorewall/routestopped!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Tom Eastep wrote:
>> Phil Cordier wrote:
>>> Hi Tom - thanks much for the patch - has done the trick (and
greetings
>>> from Shoreline, we''re neighbors).
>> Cool! (On both counts).
>>
>>> It only happened with the startup error, ie when there was a
CONTINUE
>>> policy, or IMPLICIT_CONTINUE=Yes was set in shorewall.conf -
there''s
>>> nothing in my stop file...
>> Hmmm -- that''s worrisome since I can''t reproduce it
under those same
>> circumstances. I''ll try again.
> 
> I''ll bet you have critical hosts defined in
/etc/shorewall/routestopped!
> 
Attached is a patch to /usr/share/shorewall/compiler which corrects this
problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> 
> Attached is a patch to /usr/share/shorewall/compiler which corrects this
> problem.
> 
Hmmm -- the patch I sent previously included the fix for your other problem
as well as this one. The one attached to this post corrects only the
CRITICALHOSTS problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV