Shorewall users - Jun 2007 - Shorewall 4.0.0 Beta 4

I''ve uploaded Beta 4. It corrects a bad bug involving exclusion in the
hosts file. In addition, it contains the first release of a new
Bridge/firewall implementation that uses the reduced-function physdev
match found in kernel 3.6.20 and 3.6.21.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> I''ve uploaded Beta 4. It corrects a bad bug involving exclusion in
the
> hosts file. In addition, it contains the first release of a new
> Bridge/firewall implementation that uses the reduced-function physdev
> match found in kernel 3.6.20 and 3.6.21.
Of course I meant "2.6.20 and 2.6.21".

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Good morning Tom.

Macro macro.ALLOW:

	ACCEPT

Rule:

	ALLOW  lan:eth1  lan:eth0  udp  123,125

produces the following error:

Undefined subroutine &Shorewall::Chains::source_port_to_bridge called 
at /usr/share/shorewall-perl/Shorewall/Chains.pm line 1521, <$currentfile>
line 363.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Good morning Tom.
> 
> Macro macro.ALLOW:
> 
> 	ACCEPT
> 
> Rule:
> 
> 	ALLOW  lan:eth1  lan:eth0  udp  123,125
> 
> produces the following error:
> 
> Undefined subroutine &Shorewall::Chains::source_port_to_bridge called 
> at /usr/share/shorewall-perl/Shorewall/Chains.pm line 1521,
<$currentfile>
> line 363.
Good Afternoon, Steven

Should be fixed in r6501.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom.

When the accounting file contains:

	DONE  -  eth0  eth1  udp  555,666 

(both eth0 and eth1 are ports on bridge br0)

the following iptables rule is generated:

-A accounting -p 17 -m multiport --dports 555,666 -i br0 -m 
physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN

which produces the following messages:

iptables-restore: line 341 failed
   ERROR: iptables-restore Failed. Input is 
in /var/lib/shorewall/.iptables-restore-input
/sbin/shorewall: line 347: 12488 Terminated              ${VARDIR}/.start 
$debugging start

Additionally the following message is also produced:

physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
chains for non-bridged traffic is not supported anymore.

Note: this last message is produced for every iptables rule that contains 
a --physdev-out parameter, but iptables-restore normally works.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Tom.
> 
> When the accounting file contains:
> 
> 	DONE  -  eth0  eth1  udp  555,666 
> 
> (both eth0 and eth1 are ports on bridge br0)
> 
> the following iptables rule is generated:
> 
> -A accounting -p 17 -m multiport --dports 555,666 -i br0 -m 
> physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
> 
> which produces the following messages:
> 
> iptables-restore: line 341 failed
>    ERROR: iptables-restore Failed. Input is 
> in /var/lib/shorewall/.iptables-restore-input
> /sbin/shorewall: line 347: 12488 Terminated              ${VARDIR}/.start 
> $debugging start
Hmmm -- that is a valid rule.

root@wookie:~# iptables -N foo
root@wookie:~# iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m
physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
root@wookie:~#

"shorewall show capabilities" indicates that you have ''Repeat
match'' support?
> 
> Additionally the following message is also produced:
> 
> physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
> chains for non-bridged traffic is not supported anymore.
> 
> Note: this last message is produced for every iptables rule that contains 
> a --physdev-out parameter, but iptables-restore normally works.
I can''t do anything about that. The Netfilter developers added that
noise to
alert people that physdev doesn''t work the way it used to.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Sunday 10 June 2007 16:55, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > Tom.
> >
> > When the accounting file contains:
> >
> > 	DONE  -  eth0  eth1  udp  555,666
> >
> > (both eth0 and eth1 are ports on bridge br0)
> >
> > the following iptables rule is generated:
> >
> > -A accounting -p 17 -m multiport --dports 555,666 -i br0 -m
> > physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j
RETURN
> >
> > which produces the following messages:
> >
> > iptables-restore: line 341 failed
> >    ERROR: iptables-restore Failed. Input is
> > in /var/lib/shorewall/.iptables-restore-input
> > /sbin/shorewall: line 347: 12488 Terminated             
${VARDIR}/.start
> > $debugging start
>
> Hmmm -- that is a valid rule.
>
> root@wookie:~# iptables -N foo
> root@wookie:~# iptables -A foo -p 17 -m multiport --dports 555,666 -i br0
> -m physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
> root@wookie:~#
>
> "shorewall show capabilities" indicates that you have
''Repeat match''
> support?
>
> > Additionally the following message is also produced:
> >
> > physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING
> > chains for non-bridged traffic is not supported anymore.
> >
> > Note: this last message is produced for every iptables rule that
contains
> > a --physdev-out parameter, but iptables-restore normally works.
>
> I can''t do anything about that. The Netfilter developers added
that noise
> to alert people that physdev doesn''t work the way it used to.
>
> -Tom
Tom

Repeat match support is available. 

I am using kernel 2.6.21.4 and iptables 1.3.7.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Steven Jan Springl wrote:
>> the following iptables rule is generated:
>>
>> -A accounting -p 17 -m multiport --dports 555,666 -i br0 -m 
>> physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j
RETURN
>>
>> which produces the following messages:
>>
>> iptables-restore: line 341 failed
>>    ERROR: iptables-restore Failed. Input is 
>> in /var/lib/shorewall/.iptables-restore-input
>> /sbin/shorewall: line 347: 12488 Terminated             
${VARDIR}/.start
>> $debugging start
> 
> Hmmm -- that is a valid rule.
> 
> root@wookie:~# iptables -N foo
> root@wookie:~# iptables -A foo -p 17 -m multiport --dports 555,666 -i br0
-m
> physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
> root@wookie:~#
> 
What happens if you pass the attached file to iptables-restore?

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Sunday 10 June 2007 17:00, Tom Eastep wrote:
> Tom Eastep wrote:
> > Steven Jan Springl wrote:
> >> the following iptables rule is generated:
> >>
> >> -A accounting -p 17 -m multiport --dports 555,666 -i br0 -m
> >> physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j
RETURN
> >>
> >> which produces the following messages:
> >>
> >> iptables-restore: line 341 failed
> >>    ERROR: iptables-restore Failed. Input is
> >> in /var/lib/shorewall/.iptables-restore-input
> >> /sbin/shorewall: line 347: 12488 Terminated             
> >> ${VARDIR}/.start $debugging start
> >
> > Hmmm -- that is a valid rule.
> >
> > root@wookie:~# iptables -N foo
> > root@wookie:~# iptables -A foo -p 17 -m multiport --dports 555,666 -i
br0
> > -m physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j
> > RETURN root@wookie:~#
>
> What happens if you pass the attached file to iptables-restore?
>
> Thanks,
> -Tom
Tom

That works.

If the following rules are removed from the original restore file:

	-A FORWARD -j accounting
	-A OUTPUT -j accounting

then then the restore works.

The presence of:

	-A INPUT -j accounting

does not cause the restore to fail.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Sunday 10 June 2007 17:00, Tom Eastep wrote:
>> Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> the following iptables rule is generated:
>>>>
>>>> -A accounting -p 17 -m multiport --dports 555,666 -i br0 -m
>>>> physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1
-j RETURN
>>>>
>>>> which produces the following messages:
>>>>
>>>> iptables-restore: line 341 failed
>>>>    ERROR: iptables-restore Failed. Input is
>>>> in /var/lib/shorewall/.iptables-restore-input
>>>> /sbin/shorewall: line 347: 12488 Terminated             
>>>> ${VARDIR}/.start $debugging start
>>> Hmmm -- that is a valid rule.
>>>
>>> root@wookie:~# iptables -N foo
>>> root@wookie:~# iptables -A foo -p 17 -m multiport --dports 555,666
-i br0
>>> -m physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1
-j
>>> RETURN root@wookie:~#
>> What happens if you pass the attached file to iptables-restore?
>>
>> Thanks,
>> -Tom
> 
> Tom
> 
> That works.
> 
> If the following rules are removed from the original restore file:
> 
> 	-A FORWARD -j accounting
> 	-A OUTPUT -j accounting
> 
> then then the restore works.
> 
> The presence of:
> 
> 	-A INPUT -j accounting
> 
> does not cause the restore to fail.
After "shorewall clear", please try this:

iptables -N foo
iptables -A OUTPUT -j foo
iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m physdev
--physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Sunday 10 June 2007 17:11, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Sunday 10 June 2007 17:00, Tom Eastep wrote:
> >> Tom Eastep wrote:
> >>> Steven Jan Springl wrote:
> >>>> the following iptables rule is generated:
> >>>>
> >>>> -A accounting -p 17 -m multiport --dports 555,666 -i br0
-m
> >>>> physdev --physdev-in eth0 -o br0 -m physdev --physdev-out
eth1 -j
> >>>> RETURN
> >>>>
> >>>> which produces the following messages:
> >>>>
> >>>> iptables-restore: line 341 failed
> >>>>    ERROR: iptables-restore Failed. Input is
> >>>> in /var/lib/shorewall/.iptables-restore-input
> >>>> /sbin/shorewall: line 347: 12488 Terminated
> >>>> ${VARDIR}/.start $debugging start
> >>>
> >>> Hmmm -- that is a valid rule.
> >>>
> >>> root@wookie:~# iptables -N foo
> >>> root@wookie:~# iptables -A foo -p 17 -m multiport --dports
555,666 -i
> >>> br0 -m physdev --physdev-in eth0 -o br0 -m physdev
--physdev-out eth1
> >>> -j RETURN root@wookie:~#
> >>
> >> What happens if you pass the attached file to iptables-restore?
> >>
> >> Thanks,
> >> -Tom
> >
> > Tom
> >
> > That works.
> >
> > If the following rules are removed from the original restore file:
> >
> > 	-A FORWARD -j accounting
> > 	-A OUTPUT -j accounting
> >
> > then then the restore works.
> >
> > The presence of:
> >
> > 	-A INPUT -j accounting
> >
> > does not cause the restore to fail.
>
> After "shorewall clear", please try this:
>
> iptables -N foo
> iptables -A OUTPUT -j foo
> iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m physdev
> --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
>
> Thanks,
> -Tom
Tom
It produces the following messages:

physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
chains for non-bridged traffic is not supported anymore.

iptables: Invalid argument

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Sunday 10 June 2007 17:11, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Sunday 10 June 2007 17:00, Tom Eastep wrote:
>>>> Tom Eastep wrote:
>>>>> Steven Jan Springl wrote:
>>>>>> the following iptables rule is generated:
>>>>>>
>>>>>> -A accounting -p 17 -m multiport --dports 555,666 -i
br0 -m
>>>>>> physdev --physdev-in eth0 -o br0 -m physdev
--physdev-out eth1 -j
>>>>>> RETURN
>>>>>>
>>>>>> which produces the following messages:
>>>>>>
>>>>>> iptables-restore: line 341 failed
>>>>>>    ERROR: iptables-restore Failed. Input is
>>>>>> in /var/lib/shorewall/.iptables-restore-input
>>>>>> /sbin/shorewall: line 347: 12488 Terminated
>>>>>> ${VARDIR}/.start $debugging start
>>>>> Hmmm -- that is a valid rule.
>>>>>
>>>>> root@wookie:~# iptables -N foo
>>>>> root@wookie:~# iptables -A foo -p 17 -m multiport --dports
555,666 -i
>>>>> br0 -m physdev --physdev-in eth0 -o br0 -m physdev
--physdev-out eth1
>>>>> -j RETURN root@wookie:~#
>>>> What happens if you pass the attached file to iptables-restore?
>>>>
>>>> Thanks,
>>>> -Tom
>>> Tom
>>>
>>> That works.
>>>
>>> If the following rules are removed from the original restore file:
>>>
>>> 	-A FORWARD -j accounting
>>> 	-A OUTPUT -j accounting
>>>
>>> then then the restore works.
>>>
>>> The presence of:
>>>
>>> 	-A INPUT -j accounting
>>>
>>> does not cause the restore to fail.
>> After "shorewall clear", please try this:
>>
>> iptables -N foo
>> iptables -A OUTPUT -j foo
>> iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m physdev
>> --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
>>
>> Thanks,
>> -Tom
> 
> Tom
> It produces the following messages:
> 
> physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
> chains for non-bridged traffic is not supported anymore.
> 
> iptables: Invalid argument
How about:

iptables -N foo
iptables -A FORWARD -j foo
iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m physdev
 --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Sunday 10 June 2007 17:37, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Sunday 10 June 2007 17:11, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> On Sunday 10 June 2007 17:00, Tom Eastep wrote:
> >>>> Tom Eastep wrote:
> >>>>> Steven Jan Springl wrote:
> >>>>>> the following iptables rule is generated:
> >>>>>>
> >>>>>> -A accounting -p 17 -m multiport --dports 555,666
-i br0 -m
> >>>>>> physdev --physdev-in eth0 -o br0 -m physdev
--physdev-out eth1 -j
> >>>>>> RETURN
> >>>>>>
> >>>>>> which produces the following messages:
> >>>>>>
> >>>>>> iptables-restore: line 341 failed
> >>>>>>    ERROR: iptables-restore Failed. Input is
> >>>>>> in /var/lib/shorewall/.iptables-restore-input
> >>>>>> /sbin/shorewall: line 347: 12488 Terminated
> >>>>>> ${VARDIR}/.start $debugging start
> >>>>>
> >>>>> Hmmm -- that is a valid rule.
> >>>>>
> >>>>> root@wookie:~# iptables -N foo
> >>>>> root@wookie:~# iptables -A foo -p 17 -m multiport
--dports 555,666 -i
> >>>>> br0 -m physdev --physdev-in eth0 -o br0 -m physdev
--physdev-out eth1
> >>>>> -j RETURN root@wookie:~#
> >>>>
> >>>> What happens if you pass the attached file to
iptables-restore?
> >>>>
> >>>> Thanks,
> >>>> -Tom
> >>>
> >>> Tom
> >>>
> >>> That works.
> >>>
> >>> If the following rules are removed from the original restore
file:
> >>>
> >>> 	-A FORWARD -j accounting
> >>> 	-A OUTPUT -j accounting
> >>>
> >>> then then the restore works.
> >>>
> >>> The presence of:
> >>>
> >>> 	-A INPUT -j accounting
> >>>
> >>> does not cause the restore to fail.
> >>
> >> After "shorewall clear", please try this:
> >>
> >> iptables -N foo
> >> iptables -A OUTPUT -j foo
> >> iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m
physdev
> >> --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
> >>
> >> Thanks,
> >> -Tom
> >
> > Tom
> > It produces the following messages:
> >
> > physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING
> > chains for non-bridged traffic is not supported anymore.
> >
> > iptables: Invalid argument
>
> How about:
>
> iptables -N foo
> iptables -A FORWARD -j foo
> iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m physdev
>  --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
>
> -Tom
Tom

That works. It just produces the message:

physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
chains for non-bridged traffic is not supported anymore.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Sunday 10 June 2007 17:37, Tom Eastep wrote:
>> How about:
>>
>> iptables -N foo
>> iptables -A FORWARD -j foo
>> iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m physdev
>>  --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
>>
> 
> That works. It just produces the message:
> 
> physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING 
> chains for non-bridged traffic is not supported anymore.
Ok -- then please try r6506 on your original test case. That revision
creates a chain called ''accountout'' for OUTPUT accounting
rules.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Sunday 10 June 2007 17:44, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Sunday 10 June 2007 17:37, Tom Eastep wrote:
> >> How about:
> >>
> >> iptables -N foo
> >> iptables -A FORWARD -j foo
> >> iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m
physdev
> >>  --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j RETURN
> >
> > That works. It just produces the message:
> >
> > physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING
> > chains for non-bridged traffic is not supported anymore.
>
> Ok -- then please try r6506 on your original test case. That revision
> creates a chain called ''accountout'' for OUTPUT accounting
rules.
>
> -Tom
Tom

I have just tried r6507 with the original test case. Shorewall now starts 
successfully.

The same ''accounting iptables'' rule is generated. It is called
from the INPUT
and FORWARD chains.
The ''accountout'' is not generated.

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Sunday 10 June 2007 17:44, Tom Eastep wrote:
>> Steven Jan Springl wrote:
>>> On Sunday 10 June 2007 17:37, Tom Eastep wrote:
>>>> How about:
>>>>
>>>> iptables -N foo
>>>> iptables -A FORWARD -j foo
>>>> iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m
physdev
>>>>  --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j
RETURN
>>> That works. It just produces the message:
>>>
>>> physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING
>>> chains for non-bridged traffic is not supported anymore.
>> Ok -- then please try r6506 on your original test case. That revision
>> creates a chain called ''accountout'' for OUTPUT
accounting rules.
>>
>> -Tom
> Tom
> 
> I have just tried r6507 with the original test case. Shorewall now starts 
> successfully.
> 
> The same ''accounting iptables'' rule is generated. It is
called from the INPUT
> and FORWARD chains.
> The ''accountout'' is not generated.
''accountout'' is only generated if there are rules with $FW in
the SOURCE
column.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Sunday 10 June 2007 18:57, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Sunday 10 June 2007 17:44, Tom Eastep wrote:
> >> Steven Jan Springl wrote:
> >>> On Sunday 10 June 2007 17:37, Tom Eastep wrote:
> >>>> How about:
> >>>>
> >>>> iptables -N foo
> >>>> iptables -A FORWARD -j foo
> >>>> iptables -A foo -p 17 -m multiport --dports 555,666 -i br0
-m physdev
> >>>>  --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j
RETURN
> >>>
> >>> That works. It just produces the message:
> >>>
> >>> physdev match: using --physdev-out in the OUTPUT, FORWARD and
> >>> POSTROUTING chains for non-bridged traffic is not supported
anymore.
> >>
> >> Ok -- then please try r6506 on your original test case. That
revision
> >> creates a chain called ''accountout'' for OUTPUT
accounting rules.
> >>
> >> -Tom
> >
> > Tom
> >
> > I have just tried r6507 with the original test case. Shorewall now
starts
> > successfully.
> >
> > The same ''accounting iptables'' rule is generated. It
is called from the
> > INPUT and FORWARD chains.
> > The ''accountout'' is not generated.
>
> ''accountout'' is only generated if there are rules with
$FW in the SOURCE
> column.
>
> -Tom
Tom

The accounting file contains:

	DONE  -  eth0  eth1  udp  555,666
	DONE  -  -       eth1  udp  777,888
	DONE -   eth0  br0   udp   555,666
	DONE -   -	     br0   udp   777,888

and the rules contains (amongst other rules):

	ACCEPT  fw  lan  udp  555,666,777,888

but ''accountout'' is still not generated. What am I missing?

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Good morning Tom.

Masq entry:

eth1  10.1.2.0/24!10.1.2.1  10.1.1.1:500-600  tcp  110

generates the following iptables rules:

-A POSTROUTING -o br0 -m physdev --physdev-out eth1 -j eth1_masq
-A eth1_masq -p 6 --dport 110 -s 10.1.2.0/24 -j excl1
-A excl1 -s 10.1.2.1 -j RETURN
-A excl1 -j SNAT --to-source 10.1.1.1:500-600 

which produces the following messages:

iptables-restore v1.3.6: Need TCP or UDP with port specification
Error occurred at line: 4

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> Masq entry:
> 
> eth1  10.1.2.0/24!10.1.2.1  10.1.1.1:500-600  tcp  110
> 
> generates the following iptables rules:
> 
> -A POSTROUTING -o br0 -m physdev --physdev-out eth1 -j eth1_masq
> -A eth1_masq -p 6 --dport 110 -s 10.1.2.0/24 -j excl1
> -A excl1 -s 10.1.2.1 -j RETURN
> -A excl1 -j SNAT --to-source 10.1.1.1:500-600 
> 
> which produces the following messages:
> 
> iptables-restore v1.3.6: Need TCP or UDP with port specification
> Error occurred at line: 4
Good Afternoon, Steven

Corrected in r6510.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

On Sunday 10 June 2007 19:29, Steven Jan Springl wrote:
> On Sunday 10 June 2007 18:57, Tom Eastep wrote:
> > Steven Jan Springl wrote:
> > > On Sunday 10 June 2007 17:44, Tom Eastep wrote:
> > >> Steven Jan Springl wrote:
> > >>> On Sunday 10 June 2007 17:37, Tom Eastep wrote:
> > >>>> How about:
> > >>>>
> > >>>> iptables -N foo
> > >>>> iptables -A FORWARD -j foo
> > >>>> iptables -A foo -p 17 -m multiport --dports 555,666
-i br0 -m
> > >>>> physdev --physdev-in eth0 -o br0 -m physdev
--physdev-out eth1 -j
> > >>>> RETURN
> > >>>
> > >>> That works. It just produces the message:
> > >>>
> > >>> physdev match: using --physdev-out in the OUTPUT, FORWARD
and
> > >>> POSTROUTING chains for non-bridged traffic is not
supported anymore.
> > >>
> > >> Ok -- then please try r6506 on your original test case. That
revision
> > >> creates a chain called ''accountout'' for
OUTPUT accounting rules.
> > >>
> > >> -Tom
> > >
> > > Tom
> > >
> > > I have just tried r6507 with the original test case. Shorewall
now
> > > starts successfully.
> > >
> > > The same ''accounting iptables'' rule is
generated. It is called from the
> > > INPUT and FORWARD chains.
> > > The ''accountout'' is not generated.
> >
> > ''accountout'' is only generated if there are rules
with $FW in the SOURCE
> > column.
> >
> > -Tom
>
> Tom
>
> The accounting file contains:
>
> 	DONE  -  eth0  eth1  udp  555,666
> 	DONE  -  -       eth1  udp  777,888
> 	DONE -   eth0  br0   udp   555,666
> 	DONE -   -	     br0   udp   777,888
>
> and the rules contains (amongst other rules):
>
> 	ACCEPT  fw  lan  udp  555,666,777,888
>
> but ''accountout'' is still not generated. What am I
missing?
>
> Steven.
Tom

I have had another look at this. I am still unable to get Shorewall to create 
an ''accountout'' chain. 

I have tried specifying $FW in the accounting file:

	DONE  -  $FW  br0  udp  777,888

but I get message:

	ERROR: Unknown interface (fw)

I have also tried the accounting and rules files entries as per my previous 
email.

I am obviously missing something basic here, but what?

Can you provide me with an example that works.

Steven.



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Steven Jan Springl wrote:
> On Sunday 10 June 2007 19:29, Steven Jan Springl wrote:
>> On Sunday 10 June 2007 18:57, Tom Eastep wrote:
>>> Steven Jan Springl wrote:
>>>> On Sunday 10 June 2007 17:44, Tom Eastep wrote:
>>>>> Steven Jan Springl wrote:
>>>>>> On Sunday 10 June 2007 17:37, Tom Eastep wrote:
>>>>>>> How about:
>>>>>>>
>>>>>>> iptables -N foo
>>>>>>> iptables -A FORWARD -j foo
>>>>>>> iptables -A foo -p 17 -m multiport --dports 555,666
-i br0 -m
>>>>>>> physdev --physdev-in eth0 -o br0 -m physdev
--physdev-out eth1 -j
>>>>>>> RETURN
>>>>>> That works. It just produces the message:
>>>>>>
>>>>>> physdev match: using --physdev-out in the OUTPUT,
FORWARD and
>>>>>> POSTROUTING chains for non-bridged traffic is not
supported anymore.
>>>>> Ok -- then please try r6506 on your original test case.
That revision
>>>>> creates a chain called ''accountout'' for
OUTPUT accounting rules.
>>>>>
>>>>> -Tom
>>>> Tom
>>>>
>>>> I have just tried r6507 with the original test case. Shorewall
now
>>>> starts successfully.
>>>>
>>>> The same ''accounting iptables'' rule is
generated. It is called from the
>>>> INPUT and FORWARD chains.
>>>> The ''accountout'' is not generated.
>>> ''accountout'' is only generated if there are rules
with $FW in the SOURCE
>>> column.
>>>
>>> -Tom
>> Tom
>>
>> The accounting file contains:
>>
>> 	DONE  -  eth0  eth1  udp  555,666
>> 	DONE  -  -       eth1  udp  777,888
>> 	DONE -   eth0  br0   udp   555,666
>> 	DONE -   -	     br0   udp   777,888
>>
>> and the rules contains (amongst other rules):
>>
>> 	ACCEPT  fw  lan  udp  555,666,777,888
>>
>> but ''accountout'' is still not generated. What am I
missing?
>>
>> Steven.
> 
> Tom
> 
> I have had another look at this. I am still unable to get Shorewall to
create
> an ''accountout'' chain. 
> 
> I have tried specifying $FW in the accounting file:
> 
> 	DONE  -  $FW  br0  udp  777,888
> 
> but I get message:
> 
> 	ERROR: Unknown interface (fw)
> 
> I have also tried the accounting and rules files entries as per my previous
> email.
> 
> I am obviously missing something basic here, but what?
> 
> Can you provide me with an example that works.
Your example will work with r6514. I''ve been using:

COUNT	-	all	all

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/