Shorewall users - Jan 2011 - Shorewall 4.4.17 Beta 3 (includes efficient per-IP accounting)

Shorewall 4.4.17 Beta 3 is now ready for testing. I apologize for the
rabid-fire betas but I''m eager to release this functionality.

Problems Corrected:

1)  If the SOURCE column in /etc/shorewall6/rules contained an IPv6
    address enclosed in [...], a spurious error was generated:

      ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20)

    The error did not occur if <...> was used to enclose the IPv6
    address.

2)  Two compiler defects in module loading have been corrected:

    a) Previously, the kernel/net/ipv6/netfilter/ directory was not
       searched.

    b) A Perl diagnostic was issued when running on a monolithic kernel
       when the modutils package was installed.

New Features:

1)  The treatment of run-time address variables when an optional
    interface is unavailable has changed. Originally, the nil IP
    address was substituted (0.0.0.0 for IPv4 and :: for IPv6). Now,
    the generated rules that would contain the address are omitted from
    the ruleset.

2)  This release adds support for per-IP accounting using the ACCOUNT
    target. That target is only available when xtables-addons is
    installed. This support has been successfully tested with
    xtables-addons 1.32 on:

    - Fedora 14
    - Debian Squeeze

    Versions of xtables-addons supporting the ACCOUNT target do not
    install successfully on Debian Lenny.

    Information about xtables-addons installation may be found at
    http://www.shorewall.net/Dynamic.html#xtables-addons

    This feature required addition of the "ACCOUNT Target" capability
    so if you use a capabilities file, you will want to refresh it
    after installing this release.

    Per-IP accounting is configured in /etc/shorewall/accounting (it is
    not currently supported in IPv6). In the ACTION column, enter:

       ACCOUNT(<table>,<network>)

    where:

       <table> is the name of an accounting table (you choose the
               name). Rules specifying the same table will have their
               per-IP counters accumulated in that table.

       <network> is an IPv4 in CIDR format. May be as large as a /8.

    Example: Suppose your WAN interface is eth0 and your LAN interface
             is eth1 with network 172.20.1.0/24. To account for all
             traffic between the WAN and LAN interfaces:

        #ACTION                        TABLE     SOURCE        DEST ...
        ACCOUNT(net-loc,172.20.1.0/24) -         eth0          eth1
        ACCOUNT(net-loc,172.20.1.0/24) -         eth0          eth1

    This will create a net-loc table for counting packets and
    bytes for traffic between the two interfaces. The table is dumped
    using the iptaccount utility:

        iptaccount [-f] -l net-loc

    For each local IP address with non-zero counters, the packet and
    byte count for both incoming traffic (IP is DST) and outgoing
    traffic (IP is SRC) are listed. The -f option causes the table to
    be flushed (reset all counters to zero).

    One nice feature of per-IP accounting is that the counters survive
    ''shorewall restart''. This has a downside, however. If you
change
    the <network> associated with an accounting table, then you must
    "shorewall stop; shorewall start" to have a successful restart
    (counters will be cleared).

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/30/11 10:06 AM, Tom Eastep wrote:
> 
> 2)  This release adds support for per-IP accounting using the ACCOUNT
>     target. That target is only available when xtables-addons is
>     installed. This support has been successfully tested with
>     xtables-addons 1.32 on:
> 
>     - Fedora 14
>     - Debian Squeeze
> 
>     Versions of xtables-addons supporting the ACCOUNT target do not
>     install successfully on Debian Lenny.
The last statement is incorrect. I have also tested this support on
Lenny using xtable-addons 1.21.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/30/11 10:06 AM, Tom Eastep wrote:
> 
> 2)  This release adds support for per-IP accounting using the ACCOUNT
>     target. That target is only available when xtables-addons is
>     installed. This support has been successfully tested with
>     xtables-addons 1.32 on:
> 
>     - Fedora 14
>     - Debian Squeeze
> 
>     Versions of xtables-addons supporting the ACCOUNT target do not
>     install successfully on Debian Lenny.
The last statement is incorrect. I have also tested this support on
Lenny using xtable-addons 1.21.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

Tom

The following accounting rule:

ACCOUNT(loc-brd)  -  eth0  br0

Produces the following message:

Use of uninitialized value $net in pattern match (m//) 
at /usr/share/shorewall/Shorewall/Accounting.pm line 109, <$currentfile>
line
37.

Steven.


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/31/11 9:27 AM, Steven Jan Springl wrote:
> Use of uninitialized value $net in pattern match (m//) 
> at /usr/share/shorewall/Shorewall/Accounting.pm line 109,
<$currentfile> line
> 37.
The attached patch corrects that issue and tightens up the editing of
ACCOUNT(...) in general.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On Monday 31 January 2011 18:08:05 Tom Eastep wrote:
>
> The attached patch corrects that issue and tightens up the editing of
> ACCOUNT(...) in general.
>
> Thanks, Steven
>
> -Tom
Tom

Confirmed, the patch fixes the issue. Thanks.

Steven

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/31/11 11:07 AM, Steven Jan Springl wrote:
> Confirmed, the patch fixes the issue. Thanks.
Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

Tom

The following accounting rule:

ACCOUNT()  -  eth0  br0

produces the following error message from the "Optimizing Ruleset" 
phase:

ERROR: Internal error in Shorewall::Chains::delete_jumps 
at /usr/share/shorewall/Shorewall/Chains.pm line 1169

Steven.




------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On Monday 31 January 2011 19:17:48 Steven Jan Springl
wrote:
> Tom
>
> The following accounting rule:
>
> ACCOUNT()  -  eth0  br0
>
> produces the following error message from the "Optimizing
Ruleset"  phase:
>
> ERROR: Internal error in Shorewall::Chains::delete_jumps
> at /usr/share/shorewall/Shorewall/Chains.pm line 1169
>
> Steven.
Tom

In addition to the above.

Accounting rule:

ACCOUNT(  -  eth0  br0

produces the following error message from the "Optimizing Ruleset"
phase:

Unmatched ( in regex; marked by <-- HERE in m/ -[gj] ACCOUNT( <-- HERE
(\s+-m
comment .*)?\s*$/ at /usr/share/shorewall/Shorewall/Chains.pm line 1161.

Steven.


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/31/11 12:40 PM, Steven Jan Springl wrote:
>> The following accounting rule:
>>
>> ACCOUNT()  -  eth0  br0
>>
>> produces the following error message from the "Optimizing
Ruleset"  phase:
>>
>> ERROR: Internal error in Shorewall::Chains::delete_jumps
>> at /usr/share/shorewall/Shorewall/Chains.pm line 1169
>>
>> Steven.
> 
> Tom
> 
> In addition to the above.
> 
> Accounting rule:
> 
> ACCOUNT(  -  eth0  br0
> 
> produces the following error message from the "Optimizing
Ruleset" phase:
> 
> Unmatched ( in regex; marked by <-- HERE in m/ -[gj] ACCOUNT( <--
HERE (\s+-m
> comment .*)?\s*$/ at /usr/share/shorewall/Shorewall/Chains.pm line 1161.
> 
Both issues are corrected by the attached patch. In addition, I''m
adding
additional constraints on the names of accounting chains to avoid
similar errors. That change won''t apply to Beta 3 since it is based on
some additional constraints that I''ve already added for the next
Beta/RC.

Thanks again, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On Monday 31 January 2011 21:39:13 Tom Eastep wrote:
> On 1/31/11 12:40 PM, Steven Jan Springl wrote:
> >> The following accounting rule:
> >>
> >> ACCOUNT()  -  eth0  br0
> >>
> >> produces the following error message from the "Optimizing
Ruleset"
> >> phase:
> >>
> >> ERROR: Internal error in Shorewall::Chains::delete_jumps
> >> at /usr/share/shorewall/Shorewall/Chains.pm line 1169
> >>
> >> Steven.
> >
> > Tom
> >
> > In addition to the above.
> >
> > Accounting rule:
> >
> > ACCOUNT(  -  eth0  br0
> >
> > produces the following error message from the "Optimizing
Ruleset" phase:
> >
> > Unmatched ( in regex; marked by <-- HERE in m/ -[gj] ACCOUNT(
<-- HERE
> > (\s+-m comment .*)?\s*$/ at /usr/share/shorewall/Shorewall/Chains.pm
line
> > 1161.
>
> Both issues are corrected by the attached patch. In addition, I''m
adding
> additional constraints on the names of accounting chains to avoid
> similar errors. That change won''t apply to Beta 3 since it is
based on
> some additional constraints that I''ve already added for the next
Beta/RC.
>
> Thanks again, Steven
>
> -Tom
Tom

Confirmed, the patch fixes both problems. Thanks.

To get the patch to apply, I had to remove the second '';'' from
the end of line
13.
Line 25 also has two '';'' at the end of the line, is this
correct?

------------------------------------------------------------------------------------------------------------------------

Accounting rule:

ACCOUNT)  -  eth0  br0

produces the following error message:

Unmatched ) in regex; marked by <-- HERE in m/ -[gj] ACCOUNT) <-- HERE
(\s+-m
comment .*)?\s*$/ at /usr/share/shorewall/Shorewall/Chains.pm line 1161.

Steven.

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/31/11 2:49 PM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes both problems. Thanks.
> 
> To get the patch to apply, I had to remove the second '';''
from the end of line
> 13.
> Line 25 also has two '';'' at the end of the line, is this
correct?
No. -- both sets of double '':'' were errors.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On Monday 31 January 2011 23:03:14 Tom Eastep wrote:
> On 1/31/11 2:49 PM, Steven Jan Springl wrote:
> > Confirmed, the patch fixes both problems. Thanks.
> >
> > To get the patch to apply, I had to remove the second ';' from
the end of
> > line 13.
> > Line 25 also has two ';' at the end of the line, is this
correct?
>
> No. -- both sets of double ':' were errors.
>
> Thanks, Steven
>
> -Tom
Tom

Did you see the second part of may last email?
If not, I have included a copy below.

Accounting rule:

ACCOUNT)  -  eth0  br0

produces the following error message:

Unmatched ) in regex; marked by <-- HERE in m/ -[gj] ACCOUNT) <-- HERE
(\s+-m
comment .*)?\s*$/ at /usr/share/shorewall/Shorewall/Chains.pm line 1161.

Steven.

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

On 1/31/11 2:49 PM, Steven Jan Springl wrote:
> On Monday 31 January 2011 21:39:13 Tom Eastep wrote:
>> On 1/31/11 12:40 PM, Steven Jan Springl wrote:
>>>> The following accounting rule:
>>>>
>>>> ACCOUNT()  -  eth0  br0
>>>>
>>>> produces the following error message from the "Optimizing
Ruleset"
>>>> phase:
>>>>
>>>> ERROR: Internal error in Shorewall::Chains::delete_jumps
>>>> at /usr/share/shorewall/Shorewall/Chains.pm line 1169
>>>>
Steven,

That problem is corrected in my tree but, as I mentioned, the patch
won''t apply cleanly to your version.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/31/11 3:43 PM, Tom Eastep wrote:
> That problem is corrected in my tree but, as I mentioned, the patch
> won''t apply cleanly to your version.
> 
Steven,

Please pardon my inaccurate quoting -- the defect I was referring to was
the one where the chain name ended in '')''.

Thanks!
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/31/11 3:57 PM, Tom Eastep wrote:
> On 1/31/11 3:43 PM, Tom Eastep wrote:
> 
>> That problem is corrected in my tree but, as I mentioned, the patch
>> won''t apply cleanly to your version.
>>
> 
> Steven,
> 
> Please pardon my inaccurate quoting -- the defect I was referring to was
> the one where the chain name ended in '')''.
The commit that you are missing is ae4d675d0d679a81cd56cae9b8226fdb838c93cf.

Once you have that, you can apply the second hunk of
4e7f656a5b980a11a760f8754c5fdc0cabd09b5e.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On Tuesday 01 February 2011 04:23:20 Tom Eastep wrote:
> On 1/31/11 3:57 PM, Tom Eastep wrote:
> > On 1/31/11 3:43 PM, Tom Eastep wrote:
> >> That problem is corrected in my tree but, as I mentioned, the
patch
> >> won''t apply cleanly to your version.
> >
> > Steven,
> >
> > Please pardon my inaccurate quoting -- the defect I was referring to
was
> > the one where the chain name ended in '')''.
>
> The commit that you are missing is
> ae4d675d0d679a81cd56cae9b8226fdb838c93cf.
>
> Once you have that, you can apply the second hunk of
> 4e7f656a5b980a11a760f8754c5fdc0cabd09b5e.
>
> -Tom
Tom

Can you confirm the commit that I am missing is: 
 ae4d675d0d679a81cd56cae9b8226fdb838c93cf

as that appears to be a documentation only patch.

Steven.

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/1/11 2:22 PM, Steven Jan Springl wrote:
> Can you confirm the commit that I am missing is: 
>  ae4d675d0d679a81cd56cae9b8226fdb838c93cf
> 
> as that appears to be a documentation only patch.
> 
Sorry Steven,

The commit is fbdd4b5ede96b56ff22394f333c0212dfccd7365

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

Tom

If the accounting file contains END followed by any non blank value eg rule:

END  test

The following error message is generated from the ''Optimizing
Ruleset'' phase:

ERROR: Internal error in Shorewall::Chains::delete_jumps 
at /usr/share/shorewall/Shorewall/Chains.pm line 1169

Steven.

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

Tom

If OPTIMIZE_ACCOUNTING=Yes and there is just one rule in the accounting file 
eg:

ACCOUNTING(net2lan,192.168.0.0/24)  -  eth0  eth1

The following error messages are produced from a shorewall debug start ...

iptables v1.4.10: Can''t use -o with INPUT

ERROR: Command "/usr/local/sbin/iptables -A INPUT -i eth0 -o eth1 -j 
ACCOUNT --addr 192.168.0.0/24 --tname net2lan" Failed

If the rule is changed to:

ACCOUNTING(net2lan,192.168.0.0/24)  -  eth0  -

then the following messages are produced:

iptables v1.4.10: Can''t use -i with OUTPUT

ERROR: Command "/usr/local/sbin/iptables -A OUTPUT -i eth0 -j ACCOUNT
--addr
192.168.0.0/24 --tname net2lan" Failed

If OPTIMIZE_ACCOUNTING=No or there is more than one rule in the accounting 
file eg duplicate the rule, then the error does not occur.

Steven. 


------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

Tom

If the accounting file countains two ACCOUNT rules that specify the same table 
name but different networks eg

ACCOUNT(net2lan,192.168.0.0/24)  -  eth0  eth1
ACCOUNT(net2lan,10.1.0.0/16)  -  eth0  eth1

Then a shorewall debug start produces the following error messages:

iptables: Invalid argument. Run `dmesg'' for more information.

ERROR: Command "/usr/local/sbin/iptables -A accounting -i eth0 -o eth1 -j 
ACCOUNT --addr 10.1.0.0/16 --tname net2lan" Failed

The output from dmesg is:

[18807.006707] ACCOUNT: Table net2lan found, but IP/netmask mismatch. 
IP/netmask found: 192.168.0.0/255.255.255.0

[18807.006714] ACCOUNT: Table insert problem. Aborting

Steven.

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/2/11 1:39 PM, Steven Jan Springl wrote:
> If the accounting file contains END followed by any non blank value eg
rule:
> 
> END  test
> 
> The following error message is generated from the ''Optimizing
Ruleset'' phase:
> 
> ERROR: Internal error in Shorewall::Chains::delete_jumps 
> at /usr/share/shorewall/Shorewall/Chains.pm line 1169
Steven,

Sorry -- I can''t reproduce this failure.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/2/11 3:05 PM, Steven Jan Springl wrote:
> Tom
> 
> If the accounting file countains two ACCOUNT rules that specify the same
table
> name but different networks eg
> 
> ACCOUNT(net2lan,192.168.0.0/24)  -  eth0  eth1
> ACCOUNT(net2lan,10.1.0.0/16)  -  eth0  eth1
> 
> Then a shorewall debug start produces the following error messages:
> 
> iptables: Invalid argument. Run `dmesg'' for more information.
> 
> ERROR: Command "/usr/local/sbin/iptables -A accounting -i eth0 -o eth1
-j
> ACCOUNT --addr 10.1.0.0/16 --tname net2lan" Failed
> 
> The output from dmesg is:
> 
> [18807.006707] ACCOUNT: Table net2lan found, but IP/netmask mismatch. 
> IP/netmask found: 192.168.0.0/255.255.255.0
> 
> [18807.006714] ACCOUNT: Table insert problem. Aborting
This is a known restriction. It is related to the issue where changing
the network associated with a table name requires
''stop;start''.

I''m inclined to not do anything about it but I''ll think about
it.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/2/11 2:44 PM, Steven Jan Springl wrote:
> If OPTIMIZE_ACCOUNTING=Yes and there is just one rule in the accounting
file
> eg:
> 
> ACCOUNTING(net2lan,192.168.0.0/24)  -  eth0  eth1
> 
> The following error messages are produced from a shorewall debug start ...
> 
> iptables v1.4.10: Can''t use -o with INPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A INPUT -i eth0 -o eth1 -j 
> ACCOUNT --addr 192.168.0.0/24 --tname net2lan" Failed
> 
> If the rule is changed to:
> 
> ACCOUNTING(net2lan,192.168.0.0/24)  -  eth0  -
> 
> then the following messages are produced:
> 
> iptables v1.4.10: Can''t use -i with OUTPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A OUTPUT -i eth0 -j ACCOUNT
--addr
> 192.168.0.0/24 --tname net2lan" Failed
> 
> If OPTIMIZE_ACCOUNTING=No or there is more than one rule in the accounting 
> file eg duplicate the rule, then the error does not occur.
Steven,

This is an inconsistency in Netfilter that I don''t know what to do
about. I may end up deprecating or even eliminating OPTIMIZE_ACCOUNTING.
It''s a rather silly option anyway.

Thanks for your continued testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/2/11 8:45 PM, Tom Eastep wrote:
> On 2/2/11 1:39 PM, Steven Jan Springl wrote:
> 
>> If the accounting file contains END followed by any non blank value eg
rule:
>>
>> END  test
>>
>> The following error message is generated from the ''Optimizing
Ruleset'' phase:
>>
>> ERROR: Internal error in Shorewall::Chains::delete_jumps 
>> at /usr/share/shorewall/Shorewall/Chains.pm line 1169
> 
> Steven,
> 
> Sorry -- I can''t reproduce this failure.
Check that -- I have now reproduced it and will take a look.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/2/11 1:39 PM, Steven Jan Springl wrote:
> If the accounting file contains END followed by any non blank value eg
rule:
> 
> END  test
> 
> The following error message is generated from the ''Optimizing
Ruleset'' phase:
> 
> ERROR: Internal error in Shorewall::Chains::delete_jumps 
> at /usr/share/shorewall/Shorewall/Chains.pm line 1169
> 
Steven,

I believe I have fixes for all three reported problems.

The attached fixes this one.

Thanks!
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/2/11 2:44 PM, Steven Jan Springl wrote:
> Tom
> 
> If OPTIMIZE_ACCOUNTING=Yes and there is just one rule in the accounting
file
> eg:
> 
> ACCOUNTING(net2lan,192.168.0.0/24)  -  eth0  eth1
> 
> The following error messages are produced from a shorewall debug start ...
> 
> iptables v1.4.10: Can''t use -o with INPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A INPUT -i eth0 -o eth1 -j 
> ACCOUNT --addr 192.168.0.0/24 --tname net2lan" Failed
> 
> If the rule is changed to:
> 
> ACCOUNTING(net2lan,192.168.0.0/24)  -  eth0  -
> 
> then the following messages are produced:
> 
> iptables v1.4.10: Can''t use -i with OUTPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A OUTPUT -i eth0 -j ACCOUNT
--addr
> 192.168.0.0/24 --tname net2lan" Failed
> 
> If OPTIMIZE_ACCOUNTING=No or there is more than one rule in the accounting 
> file eg duplicate the rule, then the error does not occur.
Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 2/2/11 3:05 PM, Steven Jan Springl wrote:
> If the accounting file countains two ACCOUNT rules that specify the same
table
> name but different networks eg
> 
> ACCOUNT(net2lan,192.168.0.0/24)  -  eth0  eth1
> ACCOUNT(net2lan,10.1.0.0/16)  -  eth0  eth1
> 
> Then a shorewall debug start produces the following error messages:
> 
> iptables: Invalid argument. Run `dmesg'' for more information.
> 
> ERROR: Command "/usr/local/sbin/iptables -A accounting -i eth0 -o eth1
-j
> ACCOUNT --addr 10.1.0.0/16 --tname net2lan" Failed
> 
> The output from dmesg is:
> 
> [18807.006707] ACCOUNT: Table net2lan found, but IP/netmask mismatch. 
> IP/netmask found: 192.168.0.0/255.255.255.0
> 
> [18807.006714] ACCOUNT: Table insert problem. Aborting
Patch attached.

Thanks again, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On Thursday 03 February 2011 17:28:42 Tom Eastep wrote:
>
> Patch attached.
>
> Thanks again, Steven
>
> -Tom
Tom

I can confirm the three patches fix the problems. Thanks.

Steven.

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical
server''s
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb

On 2/3/11 1:03 PM, Steven Jan Springl wrote:
> I can confirm the three patches fix the problems. Thanks.
> 
Thank you, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical
server''s
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb