Based on my reading of the DEST section of the rules man page [http://www.shorewall.net/manpages/shorewall-rules.html], "Beginning with Shorewall 4.1.4, the zone should be omitted in DNAT-, REDIRECT- and NONAT rules." This seems to jive with a warning thrown by shorewall-perl 4.2.6 when a zone is left in: Example: DNAT- loc net:1.2.3.4:2525 tcp 25 Produces: "WARNING: Destination zone (net) ignored : /etc/shorewall/rules" Ok, makes sense. But then, when the zone is actually omitted, things go horribly wrong: Example: DNAT- loc 1.2.3.4:2525 tcp 25 Produces: "WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459) Can''t call method "inet_htoa" without a package or object reference at /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150, <$currentfile> line 459." Is this a bug or a misinterpretation of the docs? Thanks, Matt ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Matt LaPlante wrote:> Based on my reading of the DEST section of the rules man page > [http://www.shorewall.net/manpages/shorewall-rules.html], "Beginning > with Shorewall 4.1.4, the zone should be omitted in DNAT-, REDIRECT- > and NONAT rules." This seems to jive with a warning thrown by > shorewall-perl 4.2.6 when a zone is left in: > > Example: > DNAT- loc net:1.2.3.4:2525 tcp 25 > > Produces: > "WARNING: Destination zone (net) ignored : /etc/shorewall/rules" > > Ok, makes sense. But then, when the zone is actually omitted, things > go horribly wrong: > > Example: > DNAT- loc 1.2.3.4:2525 tcp 25 > > Produces: > "WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459) > Can''t call method "inet_htoa" without a package or object reference at > /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150, > <$currentfile> line 459." > > Is this a bug or a misinterpretation of the docs?It is a case of Shorewall-perl neglecting to generate a fatal error for an absurd rule. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Matt LaPlante wrote: >> Based on my reading of the DEST section of the rules man page >> [http://www.shorewall.net/manpages/shorewall-rules.html], "Beginning >> with Shorewall 4.1.4, the zone should be omitted in DNAT-, REDIRECT- >> and NONAT rules." This seems to jive with a warning thrown by >> shorewall-perl 4.2.6 when a zone is left in: >> >> Example: >> DNAT- loc net:1.2.3.4:2525 tcp 25 >> >> Produces: >> "WARNING: Destination zone (net) ignored : /etc/shorewall/rules" >> >> Ok, makes sense. But then, when the zone is actually omitted, things >> go horribly wrong: >> >> Example: >> DNAT- loc 1.2.3.4:2525 tcp 25 >> >> Produces: >> "WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459) >> Can''t call method "inet_htoa" without a package or object reference at >> /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150, >> <$currentfile> line 459." >> >> Is this a bug or a misinterpretation of the docs? > > It is a case of Shorewall-perl neglecting to generate a fatal error for > an absurd rule.Given that the server port (2525) can have no possible meaning in a DNAT- rule, the parser tries to handle "1.2.3.4:2525" as a <zone>:<IP adddress> pair. It generates the warning regarding 1.2.3.4 then flails away trying to validate 2525 as an IP address. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Matt LaPlante wrote: >> Based on my reading of the DEST section of the rules man page >> [http://www.shorewall.net/manpages/shorewall-rules.html], "Beginning >> with Shorewall 4.1.4, the zone should be omitted in DNAT-, REDIRECT- >> and NONAT rules." This seems to jive with a warning thrown by >> shorewall-perl 4.2.6 when a zone is left in: >> >> Example: >> DNAT- loc net:1.2.3.4:2525 tcp 25 >> >> Produces: >> "WARNING: Destination zone (net) ignored : /etc/shorewall/rules" >> >> Ok, makes sense. But then, when the zone is actually omitted, things >> go horribly wrong: >> >> Example: >> DNAT- loc 1.2.3.4:2525 tcp 25 >> >> Produces: >> "WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459) >> Can''t call method "inet_htoa" without a package or object reference at >> /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150, >> <$currentfile> line 459." >> >> Is this a bug or a misinterpretation of the docs? > > It is a case of Shorewall-perl neglecting to generate a fatal error for > an absurd rule.I offer my humblest apology. I read ''DNAT-'' and thought ''NONAT''. This is definitely a bug and I''ll prepare a fix for it today. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Tom Eastep wrote: >> Matt LaPlante wrote: >>> Based on my reading of the DEST section of the rules man page >>> [http://www.shorewall.net/manpages/shorewall-rules.html], "Beginning >>> with Shorewall 4.1.4, the zone should be omitted in DNAT-, REDIRECT- >>> and NONAT rules." This seems to jive with a warning thrown by >>> shorewall-perl 4.2.6 when a zone is left in: >>> >>> Example: >>> DNAT- loc net:1.2.3.4:2525 tcp 25 >>> >>> Produces: >>> "WARNING: Destination zone (net) ignored : /etc/shorewall/rules" >>> >>> Ok, makes sense. But then, when the zone is actually omitted, things >>> go horribly wrong: >>> >>> Example: >>> DNAT- loc 1.2.3.4:2525 tcp 25 >>> >>> Produces: >>> "WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459) >>> Can''t call method "inet_htoa" without a package or object reference at >>> /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150, >>> <$currentfile> line 459." >>> >>> Is this a bug or a misinterpretation of the docs? >> It is a case of Shorewall-perl neglecting to generate a fatal error for >> an absurd rule. > > I offer my humblest apology. I read ''DNAT-'' and thought ''NONAT''. This is > definitely a bug and I''ll prepare a fix for it today. >The problem has been corrected in Shorewall-perl 4.2.6.2. A patch is also attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
On Thu, Mar 5, 2009 at 10:07 AM, Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: >> Tom Eastep wrote: >>> Matt LaPlante wrote: >>>> Based on my reading of the DEST section of the rules man page >>>> [http://www.shorewall.net/manpages/shorewall-rules.html], "Beginning >>>> with Shorewall 4.1.4, the zone should be omitted in DNAT-, REDIRECT- >>>> and NONAT rules." This seems to jive with a warning thrown by >>>> shorewall-perl 4.2.6 when a zone is left in: >>>> >>>> Example: >>>> DNAT- loc net:1.2.3.4:2525 tcp 25 >>>> >>>> Produces: >>>> "WARNING: Destination zone (net) ignored : /etc/shorewall/rules" >>>> >>>> Ok, makes sense. But then, when the zone is actually omitted, things >>>> go horribly wrong: >>>> >>>> Example: >>>> DNAT- loc 1.2.3.4:2525 tcp 25 >>>> >>>> Produces: >>>> "WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459) >>>> Can''t call method "inet_htoa" without a package or object reference at >>>> /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150, >>>> <$currentfile> line 459." >>>> >>>> Is this a bug or a misinterpretation of the docs? >>> It is a case of Shorewall-perl neglecting to generate a fatal error for >>> an absurd rule. >> >> I offer my humblest apology. I read ''DNAT-'' and thought ''NONAT''. This is >> definitely a bug and I''ll prepare a fix for it today. >> > > The problem has been corrected in Shorewall-perl 4.2.6.2. A patch is > also attached.Thanks Tom!> > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise > -Strategies to boost innovation and cut costs with open source participation > -Receive a $600 discount off the registration fee with the source code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Matt LaPlante wrote:> > Thanks Tom!You are most welcome, Matt. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H