Shorewall users - Jul 2011 - Shorewall 4.4.21 RC 2

I''ve found enough issues with RC 1 that I think a second RC is
warranted.

Problems Corrected:

1)  The TPROXY target in the tcrules file could previously cause a
    failure during iptables restore like this:

       Running /usr/sbin/iptables-restore...
       Bad argument `3128''
       Error occurred at line: 110
       Try `iptables-restore -h'' or ''iptables-restore
--help'' for more
       information.

          ERROR: iptables-restore Failed. Input is in
                 /var/lib/shorewall/.iptables-restore-input

2)  The ''balance'' and ''fallback'' options in
/etc/shorewall/providers
    have always been mutually exclusive but the compiler previously
    didn''t enforce that restriction. Now it does.

3)  Nested parameterized action invocations now work correctly.

4)  The current COMMENT is now saved when an action is invoked, then restored
after the invoked action has been processed. Previously, the current COMMENT was
used in the invoked action and then unconditionally cleared.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

Tom

If Shorewall rules file contains:

allowBcast  all  all

the following iptables rule is generated:

-A allowBcast  -d ff00::/8 -j ACCEPT

which produces the following iptables-restore error:

iptables-restore v1.4.11.1: host/network `ff00::'' not found

Steven.

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

On Jul 3, 2011, at 3:19 PM, Steven Jan Springl wrote:
> 
> If Shorewall rules file contains:
> 
> allowBcast  all  all
> 
> the following iptables rule is generated:
> 
> -A allowBcast  -d ff00::/8 -j ACCEPT
> 
> which produces the following iptables-restore error:
> 
> iptables-restore v1.4.11.1: host/network `ff00::'' not found
Hmm - that''s embarrassing.

Patch attached.

Thanks, Steven

-Tom





Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

On Sunday 03 July 2011 23:54:01 Tom Eastep wrote:
> On Jul 3, 2011, at 3:19 PM, Steven Jan Springl wrote:
> > If Shorewall rules file contains:
> >
> > allowBcast  all  all
> >
> > the following iptables rule is generated:
> >
> > -A allowBcast  -d ff00::/8 -j ACCEPT
> >
> > which produces the following iptables-restore error:
> >
> > iptables-restore v1.4.11.1: host/network `ff00::'' not found
>
> Hmm - that''s embarrassing.
>
> Patch attached.
>
> Thanks, Steven
>
> -Tom
Tom

Confirmed, the patch has fixed the issue. Thanks.

Steven.

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

On Jul 3, 2011, at 4:17 PM, Steven Jan Springl wrote:
> Confirmed, the patch has fixed the issue. Thanks.
Thanks, Steven

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

Tom

Using kernel 2.6.39, iptables 1.4.11.1 and 
xtables-addons 1.37 (selecting build_ipset6).

On a system where shorewall6 has not been started.

If the shorewall interfaces file contains:

lan  eth0  -  nets=dynamic

then the following error message is produced:

ERROR: Dynamic nets require Ipset Match in your kernel and 
iptables : /etc/shorewallA/interfaces (line 11)

"shorewall show -f capabilities | grep IPSET"   shows the following:  

IPSET_MATCHOLD_IPSET_MATCHIPSET_V5=Yes

If I start shorewall6 then start shorewall, the problem doesn''t occur.
In this
case the output from "shorewall show -f capabilities | grep IPSET"
shows:

IPSET_MATCH=Yes
OLD_IPSET_MATCHIPSET_V5=Yes

Comparing the ouput from lsmod before and after shorewall6 is started shows 
xt_set is loaded by shorewall6 and not by shorewall.

Steven.

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

On Jul 4, 2011, at 10:12 AM, Steven Jan Springl wrote:
> Using kernel 2.6.39, iptables 1.4.11.1 and 
> xtables-addons 1.37 (selecting build_ipset6).
> 
> On a system where shorewall6 has not been started.
> 
> If the shorewall interfaces file contains:
> 
> lan  eth0  -  nets=dynamic
> 
> then the following error message is produced:
> 
> ERROR: Dynamic nets require Ipset Match in your kernel and 
> iptables : /etc/shorewallA/interfaces (line 11)
> 
> "shorewall show -f capabilities | grep IPSET"   shows the
following:
> 
> IPSET_MATCH> OLD_IPSET_MATCH> IPSET_V5=Yes
> 
> If I start shorewall6 then start shorewall, the problem doesn''t
occur. In this
> case the output from "shorewall show -f capabilities | grep
IPSET" shows:
> 
> IPSET_MATCH=Yes
> OLD_IPSET_MATCH> IPSET_V5=Yes
> 
> Comparing the ouput from lsmod before and after shorewall6 is started shows
> xt_set is loaded by shorewall6 and not by shorewall.
Thanks, Steven

What is the setting of LOAD_HELPERS_ONLY in both products?

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

On Monday 04 July 2011 23:56:12 Tom Eastep wrote:
> What is the setting of LOAD_HELPERS_ONLY in both products?
>
> -Tom
>
Tom

LOAD_HELPERS_ONLY is set to ''Yes''  in both products.

Steven.

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

On Jul 4, 2011, at 4:03 PM, Steven Jan Springl wrote:
> On Monday 04 July 2011 23:56:12 Tom Eastep wrote:
> 
>> What is the setting of LOAD_HELPERS_ONLY in both products?
>> 
>> -Tom
>> 
> 
> LOAD_HELPERS_ONLY is set to ''Yes''  in both products.
> 
Steven,

I think you should report this to the netfilter team. With
LOAD_HELPERS_ONLY=Yes, neither Shorewall nor Shorewall6 loads xt_set explicitly.
I''ve added a modules.ipset file to Shorewall6 and I''ve added
xt_set to both such files. That change will be included in RC3.

-Tom
-
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

On Tuesday 05 July 2011 00:18:02 Tom Eastep wrote:
> Steven,
>
> I think you should report this to the netfilter team. With
> LOAD_HELPERS_ONLY=Yes, neither Shorewall nor Shorewall6 loads xt_set
> explicitly. I''ve added a modules.ipset file to Shorewall6 and
I''ve added
> xt_set to both such files. That change will be included in RC3.
>
> -Tom
> -
Tom

Whilst getting information to report the issue, I have been looking at 
lib.cli.

shorewall/lib.cli contains:

if [ -n "$have_ipset" ]; then
    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
	qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
	IPSET_MATCH=Yes
    elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
	qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
	IPSET_MATCH=Yes
	OLD_IPSET_MATCH=Yes
    fi
    qt ipset -X $chain
fi

shorewall6/lib.cli contains:

if qt ipset -N $chain hash:ip family inet6; then
    IPSET_V5=Yes
    if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
	qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
	IPSET_MATCH=Yes
    elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
	qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
	IPSET_MATCH=Yes
	OLD_IPSET_MATCH=Yes
    fi
    qt ipset -X $chain
fi

shorewall/lib.cli tries "-m set --match-set" then "-m set
--set"  but
shorewall6/lib/cli tries "-m set --set" twice.
Is this correct?

Steven.



------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

On Tue, 2011-07-05 at 15:41 +0100, Steven Jan Springl wrote:

> Whilst getting information to report the issue, I have been looking at 
> lib.cli.
> 
> shorewall/lib.cli contains:
> 
> if [ -n "$have_ipset" ]; then
>     if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
> 	qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
> 	IPSET_MATCH=Yes
>     elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
> 	qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
> 	IPSET_MATCH=Yes
> 	OLD_IPSET_MATCH=Yes
>     fi
>     qt ipset -X $chain
> fi
> 
> shorewall6/lib.cli contains:
> 
> if qt ipset -N $chain hash:ip family inet6; then
>     IPSET_V5=Yes
>     if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
> 	qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
> 	IPSET_MATCH=Yes
>     elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
> 	qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
> 	IPSET_MATCH=Yes
> 	OLD_IPSET_MATCH=Yes
>     fi
>     qt ipset -X $chain
> fi
> 
> shorewall/lib.cli tries "-m set --match-set" then "-m set
--set"  but
> shorewall6/lib/cli tries "-m set --set" twice.
> Is this correct?

No, although It probably isn''t an observable defect since I
don''t
believe that ip6tables has ever supported only the old syntax. At any
rate, the attached patch should implement the correct behavior.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

On Tuesday 05 July 2011 15:52:39 Tom Eastep wrote:
> No, although It probably isn''t an observable defect since I
don''t
> believe that ip6tables has ever supported only the old syntax. At any
> rate, the attached patch should implement the correct behavior.
>
> -Tom
Patch applied thanks.

I have reported the original issue to the netfilter team.

Steven.


------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2