Shorewall users - May 2009 - Source "all" in "DNAT-" rules with omitted destination zone

Hi,

a "DNAT-" rule with source "all" omitted destination zone is
not
applied for packets originating from the firewall itself. Here is
an example (zones oz and $FW) and some further analysis:

1. Adding the rule
  DNAT- all 10.10.0.1 - - - 209.85.135.99
adds the lines 
  :dnat - [0:0]
  :oz_dnat - [0:0]
  -A PREROUTING -j dnat
  -A dnat -i eth0 -j oz_dnat
  -A oz_dnat -d 209.85.135.99 -j DNAT --to-destination 10.10.0.1
to the firewall script, which obviously does not affect packets
coming from the firewall itself.

2. Mentioning $FW explicitly
  DNAT- $FW 10.10.0.1 - - - 209.85.135.99
provides the desired result:
  -A OUTPUT -d 209.85.135.99 -j DNAT --to-destination 10.10.0.1

3. Putting "all-" or "all+-" as source leads to the same
result as
in case 1.

4. Putting "all+" adds lines from case 1 and 2 to the firewall
script.

This behavior is different from what is described in
shorewall-rules(5):
  "all" means "All Zones", including the firewall itself.
  "all-" means "All Zones, except the firewall itself" [...]
  When all+[-] is "used, intra-zone traffic is affected
BTW, what is "intra-zone traffic" in this example, since the zone
is omitted in the destination field.

This motivates another series of tests where the destination
zone is "oz". I get a warning from the compiler:
  WARNING: Destination zone (oz) ignored)
but the firewall script seems to be correct in this case:

5. DNAT- all oz:10.10.0.1 - - - 209.85.135.99 or
DNAT- $FW oz:10.10.0.1 - - - 209.85.135.99
Same firewall script as in 2.

6. DNAT- all- oz:10.10.0.1 - - - 209.85.135.99
Adds nothing to the firewall script.

7. DNAT- all+ oz:10.10.0.1 - - - 209.85.135.99
Same firewall script as in 4.

8. DNAT- all+- oz:10.10.0.1 - - - 209.85.135.99
Same firewall script as in 1.

The warning is kind of misleading here, because the destination
zone is actually not ignore. Though I agree that a destination
zone is only needed in a DNAT, but not in a DNAT- rule.  

Is the behavior with omitted destination zone correct and
should I specify the destination zone in DNAT- rules or not? 
How serious should I take the warning about the ignored 
destination zone?

Many thanks,
Klemens
 




------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O''Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf

Klemens Rutz wrote:
> Hi,
> 
> a "DNAT-" rule with source "all" omitted destination
zone is not
> applied for packets originating from the firewall itself. Here is
> an example (zones oz and $FW) and some further analysis:
<details deleted>

The attached patch against 4.3 applies with offset to 4.2. Apply to
/usr/share/shorewall-perl/Shorewall/Rules.pm
> 
> This motivates another series of tests where the destination
> zone is "oz". I get a warning from the compiler:
>   WARNING: Destination zone (oz) ignored)
> but the firewall script seems to be correct in this case:
> 
<more detail deleted>
> The warning is kind of misleading here,
I disagree.
> because the destination zone is actually not ignore. 
Yes it is! You get the same result whether it is there, is not there, or
is the name of any defined zone.
> Though I agree that a destination
> zone is only needed in a DNAT, but not in a DNAT- rule.  
> 
> Is the behavior with omitted destination zone correct
Yes.
> and
> should I specify the destination zone in DNAT- rules or not? 
Not.
> How serious should I take the warning about the ignored 
> destination zone?
I can''t answer that. The message tells you that you are doing something
silly -- you can ignore it if you want to.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O''Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf

Thanks, the patch solves the issue. 
Will the change also be included in the next release? 

Regards,
Klemens
> 
> Tom Eastep wrote:
> Klemens Rutz wrote:
> > Hi,
> > 
> > a "DNAT-" rule with source "all" omitted
destination zone is not
> > applied for packets originating from the firewall itself. Here is an 
> > example (zones oz and $FW) and some further analysis:
> 
> <details deleted>
> 
> The attached patch against 4.3 applies with offset to 4.2. Apply to
/usr/share/shorewall-perl/Shorewall/Rules.pm
> 
> > 
> > This motivates another series of tests where the destination zone is 
> > "oz". I get a warning from the compiler:
> >   WARNING: Destination zone (oz) ignored) but the firewall script 
> > seems to be correct in this case:
> > 
> 
> <more detail deleted>
> 
> > The warning is kind of misleading here,
> 
> I disagree.
> 
> > because the destination zone is actually not ignore. 
> 
> Yes it is! You get the same result whether it is there, is not there, or
is the name of any defined zone.
> 
> > Though I agree that a destination
> > zone is only needed in a DNAT, but not in a DNAT- rule.  
> > 
> > Is the behavior with omitted destination zone correct
> 
> Yes.
> 
> > and
> > should I specify the destination zone in DNAT- rules or not? 
> 
> Not.
> 
> > How serious should I take the warning about the ignored destination 
> > zone?
> 
> I can''t answer that. The message tells you that you are doing
something
silly -- you can ignore it if you want to.
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>

------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O''Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf