Shorewall users - Apr 2011 - Shorewall 4.4.18.2 - REDIRECT compiler problem?

# /sbin/shorewall version
4.4.18.2

# /sbin/shorewall status
Shorewall-4.4.18.2 Status at ws01 - Tue Apr  5 15:04:10 BST 2011

Shorewall is running
State:Started (Tue Apr  5 14:59:59 BST 2011) from /etc/shorewall/

# /sbin/shorewall show zones
Shorewall 4.4.18.2 Zones at ws01 - Tue Apr  5 15:10:01 BST 2011

fw (firewall)
net (ipv4)
    +:0.0.0.0/0

General status
=============Shorewall has been working fine, filtering as expected, external
ssh and
other connections to workstation working, all functions appear normal, 
until I wanted to add a REDIRECT command so that ssh connections could 
be made to the machine on tcp port 1234 in addition to the usual port 22

Minimal rules file used in testing REDIRECT
==========================================#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#
ACCEPT          net             $FW             tcp     22
ACCEPT          net             $FW             tcp     1234
REDIRECT        net             22              tcp     1234

Observed behaviour
=================1. Compiler (optimiser?) reports error on line 862 of
Chains.pm, shown
below:

# /sbin/shorewall restart
Compiling...

(lines omitted for clarity)

Applying Policies...
Generating Rule Matrix...
Optimizing Ruleset...
Can''t use an undefined value as an ARRAY reference at 
/usr/share/shorewall/Shorewall/Chains.pm line 862.
Restarting Shorewall....
Initializing...

(lines omitted for clarity)

done.

1a. Shorewall starts and functions normally, except REDIRECT does not 
appear to be functional.

2. If in shorewall.conf, change OPTIMIZE=15 to OPTIMIZE=3, error is no 
longer reported, but REDIRECT is still non-functional.

3. chain ''dnat'' appears to be orphaned, i.e. 0 references

# /sbin/shorewall show -t nat
Shorewall 4.4.18.2 nat Table at ws01 - Tue Apr  5 15:55:28 BST 2011

Counters reset Tue Apr  5 15:45:45 BST 2011

Chain PREROUTING (policy ACCEPT 295 packets, 32493 bytes)
  pkts bytes target     prot opt in     out     source               
destination

Chain POSTROUTING (policy ACCEPT 72 packets, 5387 bytes)
  pkts bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 72 packets, 5387 bytes)
  pkts bytes target     prot opt in     out     source               
destination

Chain dnat (0 references)
  pkts bytes target     prot opt in     out     source               
destination
     0     0 net_dnat   all  --  *      *       0.0.0.0/0            
0.0.0.0/0

Chain net_dnat (1 references)
  pkts bytes target     prot opt in     out     source               
destination
     0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0           tcp dpt:1234 redir ports 22

4. Other chains ( /sbin/shorewall show ) appear normal, but I can send 
if that would help.


Many thanks,

George

-- 
---------------------------------------------------------------------
  George Cameron	                     Email:     g.cameron@abdn.ac.uk
  School of Medical Sciences
  College of Life Sciences&  Medicine
  University of Aberdeen
  Foresterhill                        Fax:       +44 (0)1224-552514
  Aberdeen AB25 2ZD                   Telephone: +44 (0)1224-553210
  Scotland, UK


------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

On 04/05/2011 07:57 AM, Cameron, George G. wrote:
>
> General status
> =============> Shorewall has been working fine, filtering as expected,
external ssh and
> other connections to workstation working, all functions appear normal,
> until I wanted to add a REDIRECT command so that ssh connections could
> be made to the machine on tcp port 1234 in addition to the usual port 22
>
> Minimal rules file used in testing REDIRECT
> ==========================================> #SECTION ESTABLISHED
> #SECTION RELATED
> SECTION NEW
> #
> ACCEPT          net             $FW             tcp     22
> ACCEPT          net             $FW             tcp     1234
> REDIRECT        net             22              tcp     1234
>
> Observed behaviour
> =================> 1. Compiler (optimiser?) reports error on line 862 of
Chains.pm, shown
> below:
>
> # /sbin/shorewall restart
> Compiling...
>
> (lines omitted for clarity)
>
> Applying Policies...
> Generating Rule Matrix...
> Optimizing Ruleset...
> Can''t use an undefined value as an ARRAY reference at
> /usr/share/shorewall/Shorewall/Chains.pm line 862.
> Restarting Shorewall....
> Initializing...
I''m unable to reproduce this failure and REDIRECT works fine here.
Please:

1. shorewall show -f capabilities > /etc/shorewall/caps
2. tar -xf shorewall.tar /etc/shorewall
3. Send me the tarball

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

Tom,

   1. shorewall.tar.gz attached (including generated caps file) as requested
   2. I noticed that I was still using shorewall.conf from 4.4.18.1, so
      swapped to the new conf file:
         1. now, no error is reported - but this appears to be because
            OPTIMIZE=0 has now been made the default
         2. OPTIMIZE=4 results in the error report as before; other bits
            (e.g. OPTIMIZE=11) do not
         3. however, REDIRECT still does not appear to be working, with
            or without the OPTIMIZE bit that results in the error report
   3. I have some experience with iptables-based firewalls, but would
      not claim to be ''expert''. Is it correct that in
''shorewall show -t
      nat'', the dnat chain (which references net_dnat) should show 0
      references?


And of course, many thanks again for taking a look.

George

On 05/04/2011 16:49, Tom Eastep wrote:
> On 04/05/2011 07:57 AM, Cameron, George G. wrote:
>> General status
>> =============>> Shorewall has been working fine, filtering as
expected, external ssh and
>> other connections to workstation working, all functions appear normal,
>> until I wanted to add a REDIRECT command so that ssh connections could
>> be made to the machine on tcp port 1234 in addition to the usual port
22
>>
>> Minimal rules file used in testing REDIRECT
>> ==========================================>> #SECTION ESTABLISHED
>> #SECTION RELATED
>> SECTION NEW
>> #
>> ACCEPT          net             $FW             tcp     22
>> ACCEPT          net             $FW             tcp     1234
>> REDIRECT        net             22              tcp     1234
>>
>> Observed behaviour
>> =================>> 1. Compiler (optimiser?) reports error on
line 862 of Chains.pm, shown
>> below:
>>
>> # /sbin/shorewall restart
>> Compiling...
>>
>> (lines omitted for clarity)
>>
>> Applying Policies...
>> Generating Rule Matrix...
>> Optimizing Ruleset...
>> Can''t use an undefined value as an ARRAY reference at
>> /usr/share/shorewall/Shorewall/Chains.pm line 862.
>> Restarting Shorewall....
>> Initializing...
> I''m unable to reproduce this failure and REDIRECT works fine here.
Please:
>
> 1. shorewall show -f capabilities>  /etc/shorewall/caps
> 2. tar -xf shorewall.tar /etc/shorewall
> 3. Send me the tarball
>
> Thanks,
> -Tom
-- 
---------------------------------------------------------------------
  George Cameron	                     Email:     g.cameron@abdn.ac.uk
  School of Medical Sciences
  College of Life Sciences&  Medicine
  University of Aberdeen
  Foresterhill                        Fax:       +44 (0)1224-552514
  Aberdeen AB25 2ZD                   Telephone: +44 (0)1224-553210
  Scotland, UK



------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

On Wednesday 06 April 2011 09:48:42 Cameron, George G.
wrote:
> Tom,
>
>    1. shorewall.tar.gz attached (including generated caps file) as
> requested 2. I noticed that I was still using shorewall.conf from 4.4.18.1,
> so swapped to the new conf file:
>          1. now, no error is reported - but this appears to be because
>             OPTIMIZE=0 has now been made the default
>          2. OPTIMIZE=4 results in the error report as before; other bits
>             (e.g. OPTIMIZE=11) do not
>          3. however, REDIRECT still does not appear to be working, with
>             or without the OPTIMIZE bit that results in the error report
>    3. I have some experience with iptables-based firewalls, but would
>       not claim to be ''expert''. Is it correct that in
''shorewall show -t
>       nat'', the dnat chain (which references net_dnat) should show
0
>       references?
>
>
> And of course, many thanks again for taking a look.
>
> George
>
> On 05/04/2011 16:49, Tom Eastep wrote:
George

I have recreated both problems. They seem to be caused by the parameter
''physical=+'' in the interfaces file.

If the parameter is removed or its value changed to a value other than 
just ''+'' the problems do not occur.

Steven.
 

------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

On 06/04/2011 12:03, Steven Jan Springl wrote:
> On Wednesday 06 April 2011 09:48:42 Cameron, George G. wrote:
>> Tom,
>>
>>     1. shorewall.tar.gz attached (including generated caps file) as
>> requested 2. I noticed that I was still using shorewall.conf from
4.4.18.1,
>> so swapped to the new conf file:
>>           1. now, no error is reported - but this appears to be because
>>              OPTIMIZE=0 has now been made the default
>>           2. OPTIMIZE=4 results in the error report as before; other
bits
>>              (e.g. OPTIMIZE=11) do not
>>           3. however, REDIRECT still does not appear to be working,
with
>>              or without the OPTIMIZE bit that results in the error
report
>>     3. I have some experience with iptables-based firewalls, but would
>>        not claim to be ''expert''. Is it correct that
in ''shorewall show -t
>>        nat'', the dnat chain (which references net_dnat) should
show 0
>>        references?
>>
>>
>> And of course, many thanks again for taking a look.
>>
>> George
> George
>
> I have recreated both problems. They seem to be caused by the parameter
> ''physical=+'' in the interfaces file.
>
> If the parameter is removed or its value changed to a value other than
> just ''+'' the problems do not occur.
Indeed - so the problem was an error in my configuration after all. That 
does indeed fix the problem and my rules now work as expected.

Many thanks for your help!

George
> Steven.
>
>
>
------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It''s a major breakthrough. An authentic gaming
> smartphone on the nation''s most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- 
---------------------------------------------------------------------
  George Cameron	                     Email:     g.cameron@abdn.ac.uk
  School of Medical Sciences
  College of Life Sciences&  Medicine
  University of Aberdeen
  Foresterhill                        Fax:       +44 (0)1224-552514
  Aberdeen AB25 2ZD                   Telephone: +44 (0)1224-553210
  Scotland, UK



------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

On Wednesday 06 April 2011 12:29:16 Cameron, George G.
wrote:
> >
> > I have recreated both problems. They seem to be caused by the
parameter
> > ''physical=+'' in the interfaces file.
> >
> > If the parameter is removed or its value changed to a value other than
> > just ''+'' the problems do not occur.
>
> Indeed - so the problem was an error in my configuration after all. 
>
George

No. This is a bug in the Shorewall compiler that Tom will need to look at.

Steven.

------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

On 4/6/11 4:45 AM, Steven Jan Springl wrote:
> 
> No. This is a bug in the Shorewall compiler that Tom will need to look at.
Indeed. Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

On Wednesday 06 April 2011 15:51:35 Tom Eastep wrote:
> On 4/6/11 4:45 AM, Steven Jan Springl wrote:
> > No. This is a bug in the Shorewall compiler that Tom will need to look
> > at.
>
> Indeed. Patch attached.
>
> -Tom
Tom

The patch fixed the problem resulting in the following error:

Can''t use an undefined value as an ARRAY reference at 
/usr/share/shorewall/Shorewall/Chains.pm line 862

However the problem that George reported with the unreferenced dnat chain in 
the nat table remains.

I will send further details on the devel mailing list.

Steven.



------------------------------------------------------------------------------
Xperia(TM) PLAY
It''s a major breakthrough. An authentic gaming
smartphone on the nation''s most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev