Hi Tom, A while ago I was trying to get tproxy working with shorewall6 - at the time I had to put it on the back burner owing to the iptables version dependency. I have since put in a new router, with recent kernel and iptables, so I have now got it working for real, and it works well - thanks. One niggle I did encounter was in specifying address as the third argument to TPROXY in tcrules6 - the colons in ipv6 addresses seem to cause problems. I avoided the problem by specifying it as localhost rather than ::1. I don''t know if there''s a way of writing the address that is supported. Thanks for the great work! Dominic ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Jul 6, 2011, at 4:35 PM, Dominic Benson wrote:> > I have since put in a new router, with recent kernel and iptables, so I have now got it working for real, and it works well - thanks. > > One niggle I did encounter was in specifying address as the third argument to TPROXY in tcrules6 - the colons in ipv6 addresses seem to cause problems. I avoided the problem by specifying it as localhost rather than ::1. I don''t know if there''s a way of writing the address that is supported. >Thanks, Dominic I must be having a brain cramp because I don''t recall every documenting 3 arguments to TPROXY. In fact, because I couldn''t test TPROXY, I didn''t even added any documentation to the man pages. Where did you read about a third argument? Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 7 Jul 2011, Dominic Benson wrote:> Date: Wed, 6 Jul 2011 16:35:51 > From: Dominic Benson <dominic@lenny.cus.org> > Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net> > To: Shorewall Users <shorewall-users@lists.sourceforge.net> > Subject: [Shorewall-users] Tproxy with Shorewall6 > > Hi Tom, > > A while ago I was trying to get tproxy working with shorewall6 - at the time I had to put it on the back burner owing to the iptables version dependency. > > I have since put in a new router, with recent kernel and iptables, so I have now got it working for real, and it works well - thanks. > > One niggle I did encounter was in specifying address as the third argument to TPROXY in tcrules6 - the colons in ipv6 addresses seem to cause problems. I avoided the problem by specifying it as localhost rather than ::1. I don''t know if there''s a way of writing the address that is supported. > > Thanks for the great work! > > DominicI don''t know about TPROXY in particular, but in most places in shorewall6, you can enclose the IPv6 addresses (including prefix length) in angle brackets, like so (all mine are in hosts so far, so these are with interfaces): eth0:<2001:470:1::/64,fe80::/10> Note that multiple entries are enclosed in one set of brackets, rather than one pair of brackets per address range. -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://prml.sourceforge.net/ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Jul 6, 2011, at 5:17 PM, J. Randall Owens wrote:> > I don''t know about TPROXY in particular, but in most places in shorewall6, > you can enclose the IPv6 addresses (including prefix length) in angle > brackets, like so (all mine are in hosts so far, so these are with > interfaces): > eth0:<2001:470:1::/64,fe80::/10> > > Note that multiple entries are enclosed in one set of brackets, rather > than one pair of brackets per address range.Please also note that <...> is deprecated in favor of the more standard [...]. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On 7 Jul 2011, at 01:22, Tom Eastep wrote:> > On Jul 6, 2011, at 5:17 PM, J. Randall Owens wrote: >> >> I don''t know about TPROXY in particular, but in most places in shorewall6, >> you can enclose the IPv6 addresses (including prefix length) in angle >> brackets, like so (all mine are in hosts so far, so these are with >> interfaces): >> eth0:<2001:470:1::/64,fe80::/10> >> >> Note that multiple entries are enclosed in one set of brackets, rather >> than one pair of brackets per address range. > > Please also note that <...> is deprecated in favor of the more standard [...]. > > -TomHi Tom, It''s on this page: http://docs.huihoo.com/shorewall/4.4/manpages6/shorewall6-tcrules.html I''m almost sure I originally saw it on shorewall.net, but I certainly don''t now. Or even in the shorewall-tcrules page - in fact neither of them seem (currently) to make any mention of TPROXY, although http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY does. I tried the suggestions about encapsulating the address in square or angle brackets, but I still get the error; I''ve included it below to be sure we''re on the same page. It certainly *seems* to be working; the local squid is only listening on [::1]:3128 and 127.0.0.1:3128, and if I understand correctly the default would be to use the original source interface. Also, if I remove the interface option it stops working. Dominic Jul 7 8:35:59 Compiling /etc/shorewall6/tcrules... Jul 7 08:35:59 ERROR: Invalid MARK (TPROXY(10,3128,[::1])) : /etc/shorewall6/tcrules (line 4) ERROR: Invalid MARK (TPROXY(10,3128,[::1])) : /etc/shorewall6/tcrules (line 4) Jul 7 8:37:14 Compiling /etc/shorewall6/tcrules... Jul 7 08:37:14 ERROR: Invalid MARK (TPROXY(10,3128,<::1>)) : /etc/shorewall6/tcrules (line 4) ERROR: Invalid MARK (TPROXY(10,3128,<::1>)) : /etc/shorewall6/tcrules (line 4) Jul 7 8:37:40 Compiling /etc/shorewall6/tcrules... Jul 7 08:37:40 ERROR: Invalid MARK (TPROXY(10,3128,::1)) : /etc/shorewall6/tcrules (line 4) ERROR: Invalid MARK (TPROXY(10,3128,::1)) : /etc/shorewall6/tcrules (line 4) ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 7 Jul 2011, Dominic Benson wrote:> Date: Thu, 7 Jul 2011 00:58:44 > From: Dominic Benson <dominic@lenny.cus.org> > To: Shorewall Users <shorewall-users@lists.sourceforge.net> > > On 7 Jul 2011, at 01:22, Tom Eastep wrote: > >> On Jul 6, 2011, at 5:17 PM, J. Randall Owens wrote: >>> >>> I don''t know about TPROXY in particular, but in most places in shorewall6, >>> you can enclose the IPv6 addresses (including prefix length) in angle >>> brackets, like so (all mine are in hosts so far, so these are with >>> interfaces): >>> eth0:<2001:470:1::/64,fe80::/10> >>> >>> Note that multiple entries are enclosed in one set of brackets, rather >>> than one pair of brackets per address range. >> >> Please also note that <...> is deprecated in favor of the more standard [...]. >> > > Hi Tom, > > It''s on this page: > http://docs.huihoo.com/shorewall/4.4/manpages6/shorewall6-tcrules.html > > I''m almost sure I originally saw it on shorewall.net, but I certainly don''t now. Or even in the shorewall-tcrules page - in fact neither of them seem (currently) to make any mention of TPROXY, although > http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY > does. > > I tried the suggestions about encapsulating the address in square or angle brackets, but I still get the error; I''ve included it below to be sure we''re on the same page. > > It certainly *seems* to be working; the local squid is only listening on [::1]:3128 and 127.0.0.1:3128, and if I understand correctly the default would be to use the original source interface. Also, if I remove the interface option it stops working. > > Dominic > > Jul 7 8:35:59 Compiling /etc/shorewall6/tcrules... > Jul 7 08:35:59 ERROR: Invalid MARK (TPROXY(10,3128,[::1])) : /etc/shorewall6/tcrules (line 4) > ERROR: Invalid MARK (TPROXY(10,3128,[::1])) : /etc/shorewall6/tcrules (line 4) > > > Jul 7 8:37:14 Compiling /etc/shorewall6/tcrules... > Jul 7 08:37:14 ERROR: Invalid MARK (TPROXY(10,3128,<::1>)) : /etc/shorewall6/tcrules (line 4) > ERROR: Invalid MARK (TPROXY(10,3128,<::1>)) : /etc/shorewall6/tcrules (line 4) > > > Jul 7 8:37:40 Compiling /etc/shorewall6/tcrules... > Jul 7 08:37:40 ERROR: Invalid MARK (TPROXY(10,3128,::1)) : /etc/shorewall6/tcrules (line 4) > ERROR: Invalid MARK (TPROXY(10,3128,::1)) : /etc/shorewall6/tcrules (line 4) >I don''t think you''ve shown us the actual tcrules line 4, have you? Does it start with "TPROXY(10,3128,::1)" (give or take some brackets) shown in the error message? I don''t see anything on the Shorewall Squid page about putting an address in the parentheses; it looks like address(es) belong in the third and optionally second columns. If that is where you have the [::1], then we''d need to figure out why it''s getting lumped in there when it''s sent to process_tc_rule or wherever. -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://prml.sourceforge.net/ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 7 Jul 2011, J. Randall Owens wrote:> Date: Thu, 7 Jul 2011 04:02:37 > From: J. Randall Owens <jrowens.sourceforge@ghiapet.net> > To: Shorewall Users <shorewall-users@lists.sourceforge.net> > > I don''t think you''ve shown us the actual tcrules line 4, have you? Does > it start with "TPROXY(10,3128,::1)" (give or take some brackets) shown in > the error message? I don''t see anything on the Shorewall Squid page about > putting an address in the parentheses; it looks like address(es) belong in > the third and optionally second columns. > > If that is where you have the [::1], then we''d need to figure out why it''s > getting lumped in there when it''s sent to process_tc_rule or wherever.I take that back now. While it''s not on that page, I see where Tc.pm has a place for picking out an IP address as a third parameter. In that case, I''d say that process_tc_rule is messing up at line 206/208, where it checks $originalmark to make sure splitting it on colons doesn''t produce three or more fields, which was safe with the old MARK values which never had addresses, either IPv4 or IPv6, but might have a colon in there before the [CFPTI] values. And when it finds three (though the second is that empty non-space between the colons), it spits out that error message. (And this time, Tom, I''m looking at a git checkout, not an ancient 4.4.17. ;) -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://prml.sourceforge.net/ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 2011-07-07 at 04:22 -0700, J. Randall Owens wrote:> I take that back now. While it''s not on that page, I see where Tc.pm has > a place for picking out an IP address as a third parameter. In that case, > I''d say that process_tc_rule is messing up at line 206/208, where it > checks $originalmark to make sure splitting it on colons doesn''t produce > three or more fields, which was safe with the old MARK values which never > had addresses, either IPv4 or IPv6, but might have a colon in there > before the [CFPTI] values. And when it finds three (though the second is > that empty non-space between the colons), it spits out that error message. > > (And this time, Tom, I''m looking at a git checkout, not an ancient 4.4.17. > ;):-) Attached is a patch which allows an IPv6 address in the third parameter. Enclosing the address in [...] or <...> is optional. Now for the manpages. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On 07/07/11 14:39, Tom Eastep wrote:> On Thu, 2011-07-07 at 04:22 -0700, J. Randall Owens wrote: > >> I take that back now. While it''s not on that page, I see where Tc.pm has >> a place for picking out an IP address as a third parameter. In that case, >> I''d say that process_tc_rule is messing up at line 206/208, where it >> checks $originalmark to make sure splitting it on colons doesn''t produce >> three or more fields, which was safe with the old MARK values which never >> had addresses, either IPv4 or IPv6, but might have a colon in there >> before the [CFPTI] values. And when it finds three (though the second is >> that empty non-space between the colons), it spits out that error message. >> >> (And this time, Tom, I''m looking at a git checkout, not an ancient 4.4.17. >> ;) > :-) > > Attached is a patch which allows an IPv6 address in the third parameter. > Enclosing the address in [...] or<...> is optional. > > Now for the manpages. > > -TomGreat, that works perfectly! Dominic ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 7 Jul 2011, Tom Eastep wrote:> Date: Thu, 7 Jul 2011 06:39:41 > From: Tom Eastep <teastep@shorewall.net> > To: Shorewall Users <shorewall-users@lists.sourceforge.net> > Subject: Re: [Shorewall-users] Tproxy with Shorewall6 > > On Thu, 2011-07-07 at 04:22 -0700, J. Randall Owens wrote: > >> I take that back now. While it''s not on that page, I see where Tc.pm has >> a place for picking out an IP address as a third parameter. In that case, >> I''d say that process_tc_rule is messing up at line 206/208, where it >> checks $originalmark to make sure splitting it on colons doesn''t produce >> three or more fields, which was safe with the old MARK values which never >> had addresses, either IPv4 or IPv6, but might have a colon in there >> before the [CFPTI] values. And when it finds three (though the second is >> that empty non-space between the colons), it spits out that error message. >> >> (And this time, Tom, I''m looking at a git checkout, not an ancient 4.4.17. >> ;) > :-) > > Attached is a patch which allows an IPv6 address in the third parameter. > Enclosing the address in [...] or <...> is optional. > > Now for the manpages.Pardon me if I''m wrong, but in line 208, haven''t you inverted the significance of the empty string comparison, by switching if to unless and not adding a ''!''? Granted, it will still have the same outcome when it gets to the if/then $originalmark comparison and doesn''t match. The sense of the logical operator is inverted also; the ''||'' should have been changed to a ''&&'' (otherwise, the empty string comparison will only ever be checked if $mark is undefined, in which case it''s hardly going to be equal, and may throw an error depending on strictness). Easiest thing might be to just chop everything there after the defined check, and let the following $originalmark match catch it. -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://prml.sourceforge.net/ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 2011-07-07 at 14:59 +0100, Dominic Benson wrote:> On 07/07/11 14:39, Tom Eastep wrote: > > > > > > Attached is a patch which allows an IPv6 address in the third parameter. > > Enclosing the address in [...] or<...> is optional. > > > > Great, that works perfectly! >Thanks for confirming, Dominic -- and thanks for testing this feature. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 2011-07-07 at 14:32 -0700, J. Randall Owens wrote:> Pardon me if I''m wrong, but in line 208, haven''t you inverted the > significance of the empty string comparison, by switching if to unless and > not adding a ''!''? Granted, it will still have the same outcome when it > gets to the if/then $originalmark comparison and doesn''t match. The sense > of the logical operator is inverted also; the ''||'' should have been > changed to a ''&&'' (otherwise, the empty string comparison will only ever > be checked if $mark is undefined, in which case it''s hardly going to be > equal, and may throw an error depending on strictness).You are absolutely correct. Add-on patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2