Shorewall 4.4.22 Beta 1 is now available for testing.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) In 4.4.21, a harmless ''undefined variable'' Perl diagnostic
was
issued when the compiler was displaying the iptables/kernel
capabilities.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Three new parameterized standard actions are included in this release.
Invalid - Packets in the INVALID connection tracking state
Broadcast - Broadcast and Multicast Packets
NotSyn - TCP packets that have the SYN flag set and all
other flags reset.
The standard default Drop and Reject actions have been modified to
use these new actions.
Each accepts two parameters:
a) Action to perform on matching packets.
b) ''audit'' flag. If ''audit'', then the
action will be audited.
The new actions deprecate the following built-in actions:
allowBcast - use Broadcast(ACCEPT)
allowInvalid - use Invalid(ACCEPT)
dropInvalid - use Invalid(DROP)
dropBroadcast - use Broadcast(DROP)
dropNotSyn - use NotSyn(DROP)
rejNotSyn - use NotSyn(REJECT)
2) Up to this point, the Perl-based compiler has stored rules
internally in iptables/ip6tables command strings. This has
made the optimizing the ruleset difficult and has made the
optimizer the most defect-dense part of the code.
This release marks to first step toward converting the compiler to
use an internal rule representation that is easier to optimize and
that is easy to convert to iptables/ip6tables commands effeciently.
The parser still generates iptables/ip6table rules which are then
converted into the internal form.
This last change has a chance of de-stablizing the compiler, so I will
very much appreciate all of the testing that you can give it.
Thanks for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
AppSumo Presents a FREE Video for the SourceForge Community by Eric
Ries, the creator of the Lean Startup Methodology on "Lean Startup
Secrets Revealed." This video shows you how to validate your ideas,
optimize your ideas and identify your business strategy.
http://p.sf.net/sfu/appsumosfdev2dev
Tom Rule: Broadcast(ACCEPT):NFLOG all all all produces the following error message: ERROR: ERROR: Internal error in Shorewall::Chains::transform_rule at /usr/share/shorewall/Shorewall/Chains.pm line 592 : /usr/share/shorewall/action.Broadcast (line 71) Steven. ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
On 7/17/11 2:50 PM, Steven Jan Springl wrote:> Rule: > > Broadcast(ACCEPT):NFLOG all all all > > produces the following error message: > > ERROR: ERROR: Internal error in Shorewall::Chains::transform_rule > at /usr/share/shorewall/Shorewall/Chains.pm line > 592 : /usr/share/shorewall/action.Broadcast (line 71) >Steven, The attached patch seems to correct it. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
On Sunday 17 July 2011 23:30:16 Tom Eastep wrote:> On 7/17/11 2:50 PM, Steven Jan Springl wrote: > > Rule: > > > > Broadcast(ACCEPT):NFLOG all all all > > > > produces the following error message: > > > > ERROR: ERROR: Internal error in Shorewall::Chains::transform_rule > > at /usr/share/shorewall/Shorewall/Chains.pm line > > 592 : /usr/share/shorewall/action.Broadcast (line 71) > > Steven, > > The attached patch seems to correct it. > > Thanks, > -TomTom Confirmed. That''s fixed it. Thanks. Steven. ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
On 7/17/11 3:51 PM, Steven Jan Springl wrote:> Confirmed. That''s fixed it. Thanks.Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
Tom The attached config produces the following messages in the "Generating Rule Matrix..." section: Use of uninitialized value in string eq at /usr/share/shorewall/Shorewall/Chains.pm line 1619. Use of uninitialized value in string eq at /usr/share/shorewall/Shorewall/Chains.pm line 2098. Steven. ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
Tom In the attached minimal config. the entry in the masq file generates the following iptables rule in the nat table: -A br0_masq -m cmd This produces the following error message: iptables-restore v1.4.11.1: Couldn''t load match `cmd'':No such file or directory Steven. ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On Mon, 2011-07-18 at 20:43 +0100, Steven Jan Springl wrote:> In the attached minimal config. the entry in the masq file generates the > following iptables rule in the nat table: > > -A br0_masq -m cmd > > This produces the following error message: > > iptables-restore v1.4.11.1: Couldn''t load match `cmd'':No such file or > directoryThanks, Steven I ran into that one myself and corrected it as part of a patch that doesn''t apply cleanly to Beta 1. I''ll build and upload Beta 2 shortly. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On Mon, 2011-07-18 at 13:55 -0700, Tom Eastep wrote:> On Mon, 2011-07-18 at 20:43 +0100, Steven Jan Springl wrote: > > > In the attached minimal config. the entry in the masq file generates the > > following iptables rule in the nat table: > > > > -A br0_masq -m cmd > > > > This produces the following error message: > > > > iptables-restore v1.4.11.1: Couldn''t load match `cmd'':No such file or > > directory > > Thanks, Steven > > I ran into that one myself and corrected it as part of a patch that > doesn''t apply cleanly to Beta 1. I''ll build and upload Beta 2 shortly.Hmmm -- I see that I actually commited that fix as a separate patch which does apply (with offset) to Beta 1. Patch attached. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On Monday 18 July 2011 22:03:42 Tom Eastep wrote:> On Mon, 2011-07-18 at 13:55 -0700, Tom Eastep wrote: > > On Mon, 2011-07-18 at 20:43 +0100, Steven Jan Springl wrote: > > > In the attached minimal config. the entry in the masq file generates > > > the following iptables rule in the nat table: > > > > > > -A br0_masq -m cmd > > > > > > This produces the following error message: > > > > > > iptables-restore v1.4.11.1: Couldn''t load match `cmd'':No such file or > > > directory > > > > Thanks, Steven > > > > I ran into that one myself and corrected it as part of a patch that > > doesn''t apply cleanly to Beta 1. I''ll build and upload Beta 2 shortly. > > Hmmm -- I see that I actually commited that fix as a separate patch > which does apply (with offset) to Beta 1. > > Patch attached. > > Thanks, > -TomTom Confirmed. The patch works. Thanks. Steven. ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On Mon, 2011-07-18 at 22:20 +0100, Steven Jan Springl wrote:> > Hmmm -- I see that I actually commited that fix as a separate patch > > which does apply (with offset) to Beta 1. > > > > Patch attached. > > > > Thanks, > > -Tom> Confirmed. The patch works. Thanks.Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
Tom In the attached minimal config. the entry in the masq file generates the following iptables rule in the nat table: -A POSTROUTING -s 192.168.0.4 -o eth0 -j SNAT --to-source 192.168.0.4--persistent This produces the following error message: iptables-restore v1.4.11.1: Bad IP address "-persistent" Steven. ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On Mon, 2011-07-18 at 22:36 +0100, Steven Jan Springl wrote:> In the attached minimal config. the entry in the masq file generates the > following iptables rule in the nat table: > > -A POSTROUTING -s 192.168.0.4 -o eth0 -j SNAT --to-source > 192.168.0.4--persistent > > This produces the following error message: > > iptables-restore v1.4.11.1: Bad IP address "-persistent"Steven This has apparently been broken for some time -- the attached patch applies cleanly to 4.4.21, 4.4.22-Beta1 and 4.4.22-Beta2 (which has now been uploaded). Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On Monday 18 July 2011 23:40:29 Tom Eastep wrote:> On Mon, 2011-07-18 at 22:36 +0100, Steven Jan Springl wrote: > > In the attached minimal config. the entry in the masq file generates the > > following iptables rule in the nat table: > > > > -A POSTROUTING -s 192.168.0.4 -o eth0 -j SNAT --to-source > > 192.168.0.4--persistent > > > > This produces the following error message: > > > > iptables-restore v1.4.11.1: Bad IP address "-persistent" > > Steven > > This has apparently been broken for some time -- the attached patch > applies cleanly to 4.4.21, 4.4.22-Beta1 and 4.4.22-Beta2 (which has now > been uploaded). > > Thanks, > -TomTom Confirmed. The patch has fixed the problem. Thanks. Steven. ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On Mon, 2011-07-18 at 23:52 +0100, Steven Jan Springl wrote:> Confirmed. The patch has fixed the problem. > Thanks.Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On Monday 18 July 2011 00:34:00 Steven Jan Springl wrote:> Tom > > The attached config produces the following messages in the > "Generating Rule Matrix..." section: > > Use of uninitialized value in string eq > at /usr/share/shorewall/Shorewall/Chains.pm line 1619. > > Use of uninitialized value in string eq > at /usr/share/shorewall/Shorewall/Chains.pm line 2098. > > Steven.Tom Have you had an opportunity to look at this issue yet? Steven. ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On 7/18/11 4:05 PM, Steven Jan Springl wrote:> On Monday 18 July 2011 00:34:00 Steven Jan Springl wrote: >> Tom >> >> The attached config produces the following messages in the >> "Generating Rule Matrix..." section: >> >> Use of uninitialized value in string eq >> at /usr/share/shorewall/Shorewall/Chains.pm line 1619. >> >> Use of uninitialized value in string eq >> at /usr/share/shorewall/Shorewall/Chains.pm line 2098. >> >> Steven. > > Tom > > Have you had an opportunity to look at this issue yet? >Steven, This seems to be fixed in Beta 2. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/