Hello everybody,
maybe i am staring for too long into this terminal and start to see double
contours.
Using shorewall-4.4.10 on my gentoo box with following entry in rules (among
others, tell me if you need a dump). It''s located below SECTION NEW:
#ACTION SRC DEST
DROP net:82.96.96.3,85.190.0.3 any
According to ''shorewall show net2fw'' the rule is generated
twice. This cannot
be right can it? It doesn''t happen when DEST is set to all.
...
0 0 DROP all -- * * 82.96.96.3 0.0.0.0/0
0 0 DROP all -- * * 85.190.0.3 0.0.0.0/0
0 0 DROP all -- * * 82.96.96.3 0.0.0.0/0
0 0 DROP all -- * * 85.190.0.3 0.0.0.0/0
...
need, sleep.
greetings,
H
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can''t live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
On 8/11/10 8:48 PM, Hellmut Tümmler wrote:> Hello everybody, > maybe i am staring for too long into this terminal and start to see double > contours. > Using shorewall-4.4.10 on my gentoo box with following entry in rules (among > others, tell me if you need a dump). It''s located below SECTION NEW: > > #ACTION SRC DEST > DROP net:82.96.96.3,85.190.0.3 any > > According to ''shorewall show net2fw'' the rule is generated twice. This cannot > be right can it? It doesn''t happen when DEST is set to all. > > ... > 0 0 DROP all -- * * 82.96.96.3 0.0.0.0/0 > 0 0 DROP all -- * * 85.190.0.3 0.0.0.0/0 > 0 0 DROP all -- * * 82.96.96.3 0.0.0.0/0 > 0 0 DROP all -- * * 85.190.0.3 0.0.0.0/0 > ...I have reproduced the problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/12/10 6:59 AM, Tom Eastep wrote:> On 8/11/10 8:48 PM, Hellmut Tümmler wrote: >> Hello everybody, >> maybe i am staring for too long into this terminal and start to see double >> contours. >> Using shorewall-4.4.10 on my gentoo box with following entry in rules (among >> others, tell me if you need a dump). It''s located below SECTION NEW: >> >> #ACTION SRC DEST >> DROP net:82.96.96.3,85.190.0.3 any >> >> According to ''shorewall show net2fw'' the rule is generated twice. This cannot >> be right can it? It doesn''t happen when DEST is set to all.It does -- in the fw2net chain.>> >> ... >> 0 0 DROP all -- * * 82.96.96.3 0.0.0.0/0 >> 0 0 DROP all -- * * 85.190.0.3 0.0.0.0/0 >> 0 0 DROP all -- * * 82.96.96.3 0.0.0.0/0 >> 0 0 DROP all -- * * 85.190.0.3 0.0.0.0/0 >> ... > > I have reproduced the problem.And attached is a patch: patch /usr/share/shorewall/Shorewall/Zones.pm < anybug.diff The patch will apply with an offset (-13 lines with 4.4.10 - I actually tested it against 4.4.10.3). It will apply cleanly to 4.4.11 through 4.4.11.2. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
> On 8/12/10 6:59 AM, Tom Eastep wrote: > > On 8/11/10 8:48 PM, Hellmut Tümmler wrote: > >> Hello everybody, > >> > >> maybe i am staring for too long into this terminal and start to see > >> double > >> > >> contours. > >> Using shorewall-4.4.10 on my gentoo box with following entry in rules > >> (among others, tell me if you need a dump). It''s located below SECTION > >> NEW: > >> > >> #ACTION SRC DEST > >> DROP net:82.96.96.3,85.190.0.3 any > >> > >> According to ''shorewall show net2fw'' the rule is generated twice. This > >> cannot be right can it? It doesn''t happen when DEST is set to all. > > It does -- in the fw2net chain. > > >> ... > >> > >> 0 0 DROP all -- * * 82.96.96.3 > >> 0.0.0.0/0 0 0 DROP all -- * * 85.190.0.3 > >> 0.0.0.0/0 0 0 DROP all -- * * > >> 82.96.96.3 0.0.0.0/0 0 0 DROP all -- * * > >> 85.190.0.3 0.0.0.0/0 > >> > >> ... > > > > I have reproduced the problem. > > And attached is a patch: > patch /usr/share/shorewall/Shorewall/Zones.pm < anybug.diff > > The patch will apply with an offset (-13 lines with 4.4.10 - I actually > tested it against 4.4.10.3). It will apply cleanly to 4.4.11 through > 4.4.11.2. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________Hey Tom, thanks a lot for the patch. Meanwhile I have updated to 4.4.11.2 which showed the same problem, but the patch did kill that bug for me. While I''m at it, neither ''shorewall status" nor ''shorewall show config'' reflect which shorewall.conf the currently loaded configuration was compiled from. Something tells me I''m opening pandora''s box with that ''simple'' wish. I use to put COMMENT rules within the rules file for the purpose, which is a bit hackish, but doesn''t waste much engineering time either ;) cheers, Hellmut ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/12/10 3:43 PM, Hellmut Tümmler wrote:> > While I''m at it, neither ''shorewall status" nor ''shorewall show config'' reflect > which shorewall.conf the currently loaded configuration was compiled from. > Something tells me I''m opening pandora''s box with that ''simple'' wish. > I use to put COMMENT rules within the rules file for the purpose, which is a > bit hackish, but doesn''t waste much engineering time either ;)gateway:/etc/shorewall# shorewall status Shorewall-4.4.12-RC1 Status at gateway - Thu Aug 12 17:33:54 PDT 2010 Shorewall is running State:Started (Thu Aug 12 17:28:08 PDT 2010) from /etc/shorewall/ gateway:/etc/shorewall# -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
> > While I''m at it, neither ''shorewall status" nor ''shorewall show config'' > > reflect which shorewall.conf the currently loaded configuration was > > compiled from. Something tells me I''m opening pandora''s box with that > > ''simple'' wish. I use to put COMMENT rules within the rules file for the > > purpose, which is a bit hackish, but doesn''t waste much engineering time > > either ;) > > gateway:/etc/shorewall# shorewall status > Shorewall-4.4.12-RC1 Status at gateway - Thu Aug 12 17:33:54 PDT 2010 > > Shorewall is running > State:Started (Thu Aug 12 17:28:08 PDT 2010) from /etc/shorewall/ > > gateway:/etc/shorewall# > > -Tom > # shorewall restartWe are obviuosly running differing code. I''m happily looking forward to 4..4.12 :) Thanks Tom! greetings, Hellmut pansen:/etc/config # shorewall restart Compiling... Processing /etc/shorewall/shorewall.conf... ... Processing /etc/shorewall/started ... done. pansen:/etc/config # shorewall status Shorewall-4.4.11.2 Status at pansen - Fri Aug 13 12:57:43 CEST 2010 Shorewall is running State:Started (Fri Aug 13 12:57:41 CEST 2010) pansen:/etc/config # shorewall show config Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall pansen:/etc/config# shorewall restart /etc/shorewall-tc Compiling... Processing /etc/shorewall-tc/shorewall.conf... .... Processing /etc/shorewall/started ... done. pansen:/etc/config # shorewall status Shorewall-4.4.11.2 Status at pansen - Fri Aug 13 12:57:55 CEST 2010 Shorewall is running State:Started (Fri Aug 13 12:57:53 CEST 2010) pansen:/etc/config# shorewall show config Default CONFIG_PATH is /etc/shorewall:/usr/share/shorewall ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/13/10 4:12 AM, Hellmut Tümmler wrote:> > We are obviuosly running differing code. I''m happily looking forward to 4..4.12I just implemented that feature, based on your request :-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
> On 8/13/10 4:12 AM, Hellmut Tümmler wrote: > > We are obviuosly running differing code. I''m happily looking forward to > > 4..4.12 > > I just implemented that feature, based on your request :-) > > -TomThanks Tom, I thought so. Now you''ve fed the troll ;) It would be too nice if the accounting chain could be retained across shorewall restarts and reloads, as to not lose the counters (unless /etc/shorewall/accounting has changed or a fictional conf variable RETAIN_ACC_COUNTERS=No). The attachment contains a puny typo fix for the html docs. cheers, Hellmut ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/13/10 8:04 PM, Hellmut Tümmler wrote:> Now you''ve fed the troll ;) > It would be too nice if the accounting chain could be retained across > shorewall restarts and reloads, as to not lose the counters (unless > /etc/shorewall/accounting has changed or a fictional conf variable > RETAIN_ACC_COUNTERS=No).Patches cheerfully accepted.> > The attachment contains a puny typo fix for the html docs. >Unfortunately, the docs are maintained in Docbook XML, not html. So if you want to submit patches for them, you need to download the ''master'' git repository and submit patches against the xml docs in that repository. This time, I''ll try to locate your fixes in the XML but no guarantees. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
On 8/13/10 8:20 PM, Tom Eastep wrote:> This time, I''ll try to locate your fixes in the XML but no guarantees.Found it (Unfortunately, your patch was reversed). Thanks! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
> On 8/13/10 8:20 PM, Tom Eastep wrote: > > This time, I''ll try to locate your fixes in the XML but no guarantees. > > Found it (Unfortunately, your patch was reversed). > > Thanks! > -TomHow utterly embarrassing O_o My perl-fu is unworthy, but I have a few more fixes for the html pending, will go the XML route this time and try not to diff in handstand again. cheers, Hellmut ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can''t live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev