Shorewall users - Feb 2008 - shorewall-perl not handling "logmartians" correctly

I''ve set up a simple 2-interface Linux router using shorewall-perl
4.0.8
(and upgraded to 4.0.9). Everything works flawlessly.  One small
exception I have noticed (since I''m a new shorewall user I
assume this is probably an error on my part).

1. Problem:
With no "logmartians" entries in /etc/shorewall/interfaces,
shorewall-perl sets /proc/sys/net/ipv4/conf/*/log_martians to "0".

2. Expected behavior:
For any interface entry in /etc/shorewall/interfaces for which the
"logmartians" option is not present, shorewall-perl should take no
action, leaving the system settings alone.  (Unless I have
misunderstood the shorewall-interfaces man page and the release notes.)

3. Steps to reproduce:

a. With /etc/sysctl.conf entries:
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1

b. With /etc/shorewall/interfaces:
(no "routefilter" options or "logmartians" entries of any
type)

c. Reboot

d. cat /proc/sys/net/conf/*/log_martians
(note that all are "0")

e. Remove shorewall from init scripts
(distro-specific)

f. Reboot (without shorewall)

g. cat /proc/sys/net/conf/*/log_martians
(note that all are "1")

h. With /etc/shorewall/interfaces:
(add "routefilter" or "logmartians=1" to an interface)

i. Restart shorewall

j. cat /proc/sys/net/conf/*/log_martians
(note that interface with "logmartians" entry now has log_martians=1)

Obviously, that''s the simple work-around (explicitly enable logmartians
where needed), but this seems to be contrary to the (new) behavior
described in the man page for shorewall-interfaces and the release
notes.


Information required per web site:

# shorewall version
4.0.9

# ip addr show
brendlerjg@typhoon ~ $ sudo ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
qlen 1000 link/ether 00:01:02:86:4c:16 brd ff:ff:ff:ff:ff:ff
    inet XX.XX.XXX.XXX/22 brd 255.255.255.255 scope global eth1
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
qlen 1000 link/ether 00:30:bd:06:3d:4b brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global eth0

# ip route show
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.1
XX.XX.XXX.0/22 dev eth1  proto kernel  scope link  src XX.XX.XXX.XXX
127.0.0.0/8 dev lo  scope link
default via XX.XX.XXX.1 dev eth1

----------------------------------------------------------------------
Find out how you can get spam free email.
http://www.bluebottle.com/tag/3


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

brendlerjg@bluebottle.com wrote:
> I''ve set up a simple 2-interface Linux router using shorewall-perl
4.0.8
> (and upgraded to 4.0.9). Everything works flawlessly.  One small
> exception I have noticed (since I''m a new shorewall user I
> assume this is probably an error on my part).
> 
> 1. Problem:
> With no "logmartians" entries in /etc/shorewall/interfaces,
> shorewall-perl sets /proc/sys/net/ipv4/conf/*/log_martians to
"0".
> 
> 2. Expected behavior:
> For any interface entry in /etc/shorewall/interfaces for which the
> "logmartians" option is not present, shorewall-perl should take
no
> action, leaving the system settings alone.  (Unless I have
> misunderstood the shorewall-interfaces man page and the release notes.)
> 
What is your setting for LOG_MARTIANS in shorewall.conf?

It should be ''keep''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Disregard.

Solution: I had overlooked /etc/shorewall/shorewall.conf:

 LOG_MARTIANS=Keep

Sorry for the unnecessary post.

On Fri, 29 Feb 2008 14:19:58 -0500
brendlerjg@bluebottle.com wrote:
> I''ve set up a simple 2-interface Linux router using shorewall-perl
> 4.0.8 (and upgraded to 4.0.9). Everything works flawlessly.  One small
> exception I have noticed (since I''m a new shorewall user I
> assume this is probably an error on my part).
> 
> 1. Problem:
> With no "logmartians" entries in /etc/shorewall/interfaces,
> shorewall-perl sets /proc/sys/net/ipv4/conf/*/log_martians to
"0".
----------------------------------------------------------------------
Find out how you can get spam free email.
http://www.bluebottle.com/tag/3


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

John Brendler wrote:
> Disregard.
> 
> Solution: I had overlooked /etc/shorewall/shorewall.conf:
> 
>  LOG_MARTIANS=Keep
> 
> Sorry for the unnecessary post.
No problem.

I''ve changed the sample configs to include that setting. But beginning
with
Shorewall 4.2, the sample configs will have LOG_MARTIANS=Yes. It''s a
good
option that everyone should set.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, Feb 29, 2008 at 06:18:09PM -0800, Tom Eastep
wrote:
> I''ve changed the sample configs to include that setting. But
beginning with
> Shorewall 4.2, the sample configs will have LOG_MARTIANS=Yes. It''s
a good
> option that everyone should set.
Particularly since it''s a choice between "log martians" and
"silently
drop martians". Oddly, Linux has no way to disable martian checks.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Andrew Suffield wrote:
> On Fri, Feb 29, 2008 at 06:18:09PM -0800, Tom Eastep wrote:
>> I''ve changed the sample configs to include that setting. But
beginning with
>> Shorewall 4.2, the sample configs will have LOG_MARTIANS=Yes.
It''s a good
>> option that everyone should set.
> 
> Particularly since it''s a choice between "log martians"
and "silently
> drop martians". Oddly, Linux has no way to disable martian checks.
Although they can be made much less strict by turning off route filtering.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/