Shorewall users - Dec 2009 - shorewall6-lite's shorecap sourcing /usr/share/shorewall-lite/lib.base?

Hey all,

Just a sanity check, but should the shorecap script in shorewall6-lite
be sourcing /usr/share/shorewall6-lite/lib.base rather
than /usr/share/shorewall-lite/lib.base like it does currently?

In fact shouldn''t there be a general s/shorewall-lite/shorewall6-lite/
in shorecap in shorewall6-lite?  Maybe there is more of that lurking
about as well.

Also, the first line of the determine_capabilities() function in
lib.base is:

    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes ||
MANGLE_ENABLED
which is followed somewhat further down in the function with:

    [ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)

But shouldn''t the test for the mangle table come after the conditional
setting of IP6TABLES?

FWIW, the difference in shorecap output when I make the shorewall-lite
-> shorewall6-lite changes and fix the IP6TABLES bug above is:

@@ -1,7 +1,6 @@
 #
-# Shorewall 4.2.8 detected the following iptables/netfilter capabilities - Sat
Dec  5 23:32:07 EST 2009
+# Shorewall6 4.2.8 detected the following ip6tables/netfilter capabilities -
Sun Dec  6 00:04:48 EST 2009
 #
-NAT_ENABLED=Yes
 MANGLE_ENABLED=Yes
 MULTIPORT=Yes
 XMULTIPORT=Yes
@@ -16,7 +15,7 @@
 IPRANGE_MATCH=Yes
 RECENT_MATCH=Yes
 OWNER_MATCH-IPSET_MATCH=Yes
+IPSET_MATCH CONNMARK=Yes
 XCONNMARK=Yes
 CONNMARK_MATCH=Yes

Cheers,
b.



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Brian J. Murrell wrote:
> Hey all,
> 
> Just a sanity check, but should the shorecap script in shorewall6-lite
> be sourcing /usr/share/shorewall6-lite/lib.base rather
> than /usr/share/shorewall-lite/lib.base like it does currently?
> 
> In fact shouldn''t there be a general
s/shorewall-lite/shorewall6-lite/
> in shorecap in shorewall6-lite?  Maybe there is more of that lurking
> about as well.
> 
> Also, the first line of the determine_capabilities() function in
> lib.base is:
> 
>     qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes ||
MANGLE_ENABLED>
> which is followed somewhat further down in the function with:
> 
>     [ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
> 
> But shouldn''t the test for the mangle table come after the
conditional
> setting of IP6TABLES?
> 
I''ll fix these in the next 4.4 release; think I''ll wait on
4.2.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

On Sat, 2009-12-05 at 22:14 -0800, Tom Eastep wrote: 
> 
> I''ll fix these in the next 4.4 release; think I''ll wait
on 4.2.
OK.  I will patch OpenWRT''s package then.

Any thoughts on any (in-)compatibilities that might arise trying to load
a 4.4 shorewall[6]-lite from a 4.2 shorewall[6] machine?

b.



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Brian J. Murrell wrote:
> On Sat, 2009-12-05 at 22:14 -0800, Tom Eastep wrote: 
>> I''ll fix these in the next 4.4 release; think I''ll
wait on 4.2.
> 
> OK.  I will patch OpenWRT''s package then.
> 
> Any thoughts on any (in-)compatibilities that might arise trying to load
> a 4.4 shorewall[6]-lite from a 4.2 shorewall[6] machine?
None -- I never test anything like that.

But I''ve uploaded 4.2.11.2 and 4.4.4.2.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

> Brian J. Murrell wrote:
>> On Sat, 2009-12-05 at 22:14 -0800, Tom Eastep wrote:
>>> I''ll fix these in the next 4.4 release; think
I''ll wait on 4.2.
>>
>> OK.  I will patch OpenWRT''s package then.
>>
>> Any thoughts on any (in-)compatibilities that might arise trying to
load
>> a 4.4 shorewall[6]-lite from a 4.2 shorewall[6] machine?
>
> None -- I never test anything like that.
>
> But I''ve uploaded 4.2.11.2 and 4.4.4.2.
Hi Tom,

Somehow the 4.4.4.2 patches are not the way they should be. You may want
to check your build scripts I think.

Thanks,
Simon


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Simon Matter wrote:
> Somehow the 4.4.4.2 patches are not the way they should be. You may want
> to check your build scripts I think.
patch-6-4.4.4.2 and patch-6-lite-4.4.4.2 seem to be wrong. That''s
propably because 4.4.4.1 was skipped so there was no 4.4.4.1 to compare
against.

-- 
Tuomo Soini <tis@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev

Simon Matter wrote:
>> Brian J. Murrell wrote:
>>> On Sat, 2009-12-05 at 22:14 -0800, Tom Eastep wrote:
>>>> I''ll fix these in the next 4.4 release; think
I''ll wait on 4.2.
>>> OK.  I will patch OpenWRT''s package then.
>>>
>>> Any thoughts on any (in-)compatibilities that might arise trying to
load
>>> a 4.4 shorewall[6]-lite from a 4.2 shorewall[6] machine?
>> None -- I never test anything like that.
>>
>> But I''ve uploaded 4.2.11.2 and 4.4.4.2.
> 
> Hi Tom,
> 
> Somehow the 4.4.4.2 patches are not the way they should be. You may want
> to check your build scripts I think.
When I built shorewall-4.4.4.2, my build script overwrite the correct
4.4.4.2 patches for Shorewall6 and Shorewall6-lite. The patches on my
web/ftp site (www1/ftp1) should now be correct.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev