As I mentioned in a post yesterday, I''m releasing Shorewall 4.4.5.1 to
work around the reverse path filtering change in kernel 2.6.31.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 1
----------------------------------------------------------------------------
1) In kernel 2.6.31, the handling of the rp_filter interface option was
changed incompatibly. Previously, the effective value was determined
by the setting of net.ipv4.config.<dev>.rp_filter logically ANDed with
the setting of net.ipv4.config.all.rp_filter.
Beginning with kernel 2.6.31, the value is the arithmetic MAX of
those two values.
Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
there are any interfaces specifying ''routefilter'',
specifying
''routefilter'' on any interface has the effect of setting
the option
on all interfaces.
To allow Shorewall to handle this issue, a number of changes were
necessary:
a) There is no way to safely determine if a kernel supports the
new semantics or the old so the Shorewall compiler uses the
kernel version reported by uname.
b) This means that the kernel version is now recorded in
the capabilities file. So if you use capabilities files, you
need to regenerate the files with Shorewall[-lite] 4.4.5.1.
c) If the capabilities file does not contain a kernel version,
the compiler assumes version 2.6.30 (the old rp_filter
behavior).
d) The ROUTE_FILTER option in shorewall.conf now accepts the
following values:
0 or No - Shorewall sets net.ipv4.config.all.rp_filter to 0.
1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1.
2 - Shorewall sets net.ipv4.config.all.rp_filter to 2.
Keep - Shorewall does not change the setting of
net.ipv4.config.all.rp_filter if the kernel version
is 2.6.31 or later.
The default remains Keep.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon''s best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
Oops -- omitted the last bullet. On Sun, 20 Dec 2009 09:23:50 -0800 Tom Eastep <teastep@shorewall.net> wrote:> > As I mentioned in a post yesterday, I''m releasing Shorewall 4.4.5.1 to > work around the reverse path filtering change in kernel 2.6.31. > > ---------------------------------------------------------------------------- > P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 1 > ---------------------------------------------------------------------------- > 1) In kernel 2.6.31, the handling of the rp_filter interface option > was changed incompatibly. Previously, the effective value was > determined by the setting of net.ipv4.config.<dev>.rp_filter > logically ANDed with the setting of net.ipv4.config.all.rp_filter. > > Beginning with kernel 2.6.31, the value is the arithmetic MAX of > those two values. > > Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if > there are any interfaces specifying ''routefilter'', specifying > ''routefilter'' on any interface has the effect of setting the > option on all interfaces. > > To allow Shorewall to handle this issue, a number of changes were > necessary: > > a) There is no way to safely determine if a kernel supports the > new semantics or the old so the Shorewall compiler uses the > kernel version reported by uname. > > b) This means that the kernel version is now recorded in > the capabilities file. So if you use capabilities files, you > need to regenerate the files with Shorewall[-lite] 4.4.5.1. > > c) If the capabilities file does not contain a kernel version, > the compiler assumes version 2.6.30 (the old rp_filter > behavior). > > d) The ROUTE_FILTER option in shorewall.conf now accepts the > following values: > > 0 or No - Shorewall sets net.ipv4.config.all.rp_filter to 0. > 1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1. > 2 - Shorewall sets net.ipv4.config.all.rp_filter to 2. > Keep - Shorewall does not change the setting of > net.ipv4.config.all.rp_filter if the kernel version > is 2.6.31 or later. > > The default remains Keep.e) The ''routefilter'' interface option can have values 0,1 or 2. If ''routefilter'' is specified without a value, the value 1 is assumed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Tom Issuing a shorewall start produces the following messages: WARNING: Unknown capability (KERNELVERSION) ignored : /etc/shorewall2/capabilities (line 49) WARNING: Your capabilities file does not contain a Kernel Version -- using 2.6.30 I am using kernel 2.6.33-rc1 and the capabilities file contains: KERNELVERSION=20633 Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sun, 20 Dec 2009 21:26:57 +0000 Steven Jan Springl <steven@springl.ukfsn.org> wrote:> Tom > > Issuing a shorewall start produces the following messages: > > WARNING: Unknown capability (KERNELVERSION) > ignored : /etc/shorewall2/capabilities (line 49) > WARNING: Your capabilities file does not contain a Kernel Version > -- using 2.6.30 >Groan -- I forgot to test a capabilties file that *did* have KERNELVERSION. Patch attached. Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sunday 20 December 2009 21:44:02 Tom Eastep wrote:> On Sun, 20 Dec 2009 21:26:57 +0000 > > Steven Jan Springl <steven@springl.ukfsn.org> wrote: > > Tom > > > > Issuing a shorewall start produces the following messages: > > > > WARNING: Unknown capability (KERNELVERSION) > > ignored : /etc/shorewall2/capabilities (line 49) > > WARNING: Your capabilities file does not contain a Kernel Version > > -- using 2.6.30 > > Groan -- I forgot to test a capabilties file that *did* have > KERNELVERSION. > > Patch attached. > > Thanks, Steven > > -TomThat''s worked. Thanks. Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sun, 20 Dec 2009 13:44:02 -0800 Tom Eastep <teastep@shorewall.net> wrote:> On Sun, 20 Dec 2009 21:26:57 +0000 > Steven Jan Springl <steven@springl.ukfsn.org> wrote: > > > Tom > > > > Issuing a shorewall start produces the following messages: > > > > WARNING: Unknown capability (KERNELVERSION) > > ignored : /etc/shorewall2/capabilities (line 49) > > WARNING: Your capabilities file does not contain a Kernel Version > > -- using 2.6.30 > > > > Groan -- I forgot to test a capabilties file that *did* have > KERNELVERSION. > > Patch attached.I''ve just uploaded 4.4.5.2. It contains this patch as well as another change that fixes issues with ROUTE_FILTER handling on 2.6.31 and later. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Sunday 20 December 2009 23:44:55 Tom Eastep wrote:> I''ve just uploaded 4.4.5.2. It contains this patch as well as another > change that fixes issues with ROUTE_FILTER handling on 2.6.31 and later.Tom Issuing command shorewall6 start produces the following message: Use of uninitialized value $val in string eq at /usr/share/shorewall/Shorewall/Config.pm line 2373. Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Steven Jan Springl wrote:> On Sunday 20 December 2009 23:44:55 Tom Eastep wrote: > >> I''ve just uploaded 4.4.5.2. It contains this patch as well as another >> change that fixes issues with ROUTE_FILTER handling on 2.6.31 and later. > > Tom > > Issuing command shorewall6 start produces the following message: > > Use of uninitialized value $val in string eq > at /usr/share/shorewall/Shorewall/Config.pm line 2373.I saw that on one of my systems this morning but I was just headed out the door and haven''t had time to look at it yet. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Tom Eastep wrote:> Steven Jan Springl wrote: >> On Sunday 20 December 2009 23:44:55 Tom Eastep wrote: >> >>> I''ve just uploaded 4.4.5.2. It contains this patch as well as another >>> change that fixes issues with ROUTE_FILTER handling on 2.6.31 and later. >> Tom >> >> Issuing command shorewall6 start produces the following message: >> >> Use of uninitialized value $val in string eq >> at /usr/share/shorewall/Shorewall/Config.pm line 2373. > > I saw that on one of my systems this morning but I was just headed out > the door and haven''t had time to look at it yet.I''ve uploaded a tentative 4.4.5.3 to ftp://ftp1.shorewall.net/pub/shorewall/development/4.4/. Please give it a test -- I don''t have easy access to a system running kernel 2.6.31 or later. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
On Tuesday 22 December 2009 01:41:20 Tom Eastep wrote:> >> Issuing command shorewall6 start produces the following message: > >> > >> Use of uninitialized value $val in string eq > >> at /usr/share/shorewall/Shorewall/Config.pm line 2373. > > > > I saw that on one of my systems this morning but I was just headed out > > the door and haven''t had time to look at it yet. > > I''ve uploaded a tentative 4.4.5.3 to > ftp://ftp1.shorewall.net/pub/shorewall/development/4.4/. > > Please give it a test -- I don''t have easy access to a system running > kernel 2.6.31 or later. >Tom That fixed that problem. However, I am now getting the following messages: WARNING: Your capabilities file is out of date -- it does not contain all of the capabilities defined by Shorewall6 version 4.4.5.3 WARNING: Your capabilities file does not contain a Kernel Version -- using 2.6.30 I have recreated my capabilities file. Steven. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
Steven Jan Springl wrote:> On Tuesday 22 December 2009 01:41:20 Tom Eastep wrote: >>>> Issuing command shorewall6 start produces the following message: >>>> >>>> Use of uninitialized value $val in string eq >>>> at /usr/share/shorewall/Shorewall/Config.pm line 2373. >>> I saw that on one of my systems this morning but I was just headed out >>> the door and haven''t had time to look at it yet. >> I''ve uploaded a tentative 4.4.5.3 to >> ftp://ftp1.shorewall.net/pub/shorewall/development/4.4/. >> >> Please give it a test -- I don''t have easy access to a system running >> kernel 2.6.31 or later. >> > > Tom > > That fixed that problem. However, I am now getting the following messages: > > WARNING: Your capabilities file is out of date -- it does not contain all > of the capabilities defined by Shorewall6 version 4.4.5.3 > WARNING: Your capabilities file does not contain a Kernel Version -- using > 2.6.30 > > I have recreated my capabilities file.That is to be expected -- route filtering isn''t available with IPV6 so the kernel version doesn''t make any difference. The WARNINGs will go away in 4.4.6. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon''s best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev