RC 2 is now available for testing (Early RC1 testing on a RedHat-based system with dynamic provider gateways uncovered a couple of debilitating defects in the enable/disable logic). Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
Tom In the attahced config. secmarks contains: RESTORE O:ER - eth0 udp 53 When the following commands are issued: shorewall start /etc/shorewallT6 shorewall safe-restart /etc/shorewallT6 then reply ''n'' when prompted. The following iptables rule is generated in .safe-iptables: -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j CONNSECMARK--restore which produces the following error message: iptables-restore v1.4.12.1: Couldn''t load target `CONNSECMARK--restore'':No such file or directory Steven. ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Sep 2, 2011, at 4:08 PM, Steven Jan Springl wrote:> Tom > > In the attahced config. secmarks contains: > > RESTORE O:ER - eth0 udp 53 > > When the following commands are issued: > > shorewall start /etc/shorewallT6 > shorewall safe-restart /etc/shorewallT6 > > then reply ''n'' when prompted. > > The following iptables rule is generated in .safe-iptables: > > -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m conntrack --ctstate > RELATED,ESTABLISHED -j CONNSECMARK--restore > > which produces the following error message: > > iptables-restore v1.4.12.1: Couldn''t load target `CONNSECMARK--restore'':No > such file or directorySteven, I suspect that is an iptables 1.4.12.x bug. Please start the configuration and then do an ''iptables -S''; do you see the string "CONNSECMARK--restore" in the output? -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Saturday 03 September 2011 00:56:54 Tom Eastep wrote:> On Sep 2, 2011, at 4:08 PM, Steven Jan Springl wrote: > > Tom > > > > In the attahced config. secmarks contains: > > > > RESTORE O:ER - eth0 udp 53 > > > > When the following commands are issued: > > > > shorewall start /etc/shorewallT6 > > shorewall safe-restart /etc/shorewallT6 > > > > then reply ''n'' when prompted. > > > > The following iptables rule is generated in .safe-iptables: > > > > -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m conntrack --ctstate > > RELATED,ESTABLISHED -j CONNSECMARK--restore > > > > which produces the following error message: > > > > iptables-restore v1.4.12.1: Couldn''t load target > > `CONNSECMARK--restore'':No such file or directory > > Steven, > > I suspect that is an iptables 1.4.12.x bug. Please start the configuration > and then do an ''iptables -S''; do you see the string "CONNSECMARK--restore" > in the output? > > -Tom >Tom If I issue ''iptables -t mangle -S'' then I see the above string. Steven ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Sep 2, 2011, at 4:56 PM, Tom Eastep wrote:> On Sep 2, 2011, at 4:08 PM, Steven Jan Springl wrote: >> In the attahced config. secmarks contains: >> >> RESTORE O:ER - eth0 udp 53 >> >> When the following commands are issued: >> >> shorewall start /etc/shorewallT6 >> shorewall safe-restart /etc/shorewallT6 >> >> then reply ''n'' when prompted. >> >> The following iptables rule is generated in .safe-iptables: >> >> -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m conntrack --ctstate >> RELATED,ESTABLISHED -j CONNSECMARK--restore >> >> which produces the following error message: >> >> iptables-restore v1.4.12.1: Couldn''t load target `CONNSECMARK--restore'':No >> such file or directory > > Steven, > > I suspect that is an iptables 1.4.12.x bug. Please start the configuration and then do an ''iptables -S''; do you see the string "CONNSECMARK--restore" in the output?Please try this iptables patch. Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Saturday 03 September 2011 01:10:35 Tom Eastep wrote:> On Sep 2, 2011, at 4:56 PM, Tom Eastep wrote: > > On Sep 2, 2011, at 4:08 PM, Steven Jan Springl wrote: > >> In the attahced config. secmarks contains: > >> > >> RESTORE O:ER - eth0 udp 53 > >> > >> When the following commands are issued: > >> > >> shorewall start /etc/shorewallT6 > >> shorewall safe-restart /etc/shorewallT6 > >> > >> then reply ''n'' when prompted. > >> > >> The following iptables rule is generated in .safe-iptables: > >> > >> -A OUTPUT -o eth0 -p udp -m udp --dport 53 -m conntrack --ctstate > >> RELATED,ESTABLISHED -j CONNSECMARK--restore > >> > >> which produces the following error message: > >> > >> iptables-restore v1.4.12.1: Couldn''t load target > >> `CONNSECMARK--restore'':No such file or directory > > > > Steven, > > > > I suspect that is an iptables 1.4.12.x bug. Please start the > > configuration and then do an ''iptables -S''; do you see the string > > "CONNSECMARK--restore" in the output? > > Please try this iptables patch. > > Thanks, > -TomTom That''s fixed the issue. Thanks. Steven. ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Sep 2, 2011, at 5:27 PM, Steven Jan Springl wrote:> > That''s fixed the issue.Thanks, Steven I''ll post a patch to netfilter-devel tomorrow. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
Tom Using the attached minimal config. Issuing ''shorewall6 start'' works. Issuing ''shorewall6 debug start'' produces the following error messages: ip6tables: Bad built-in chain name. ERROR: Command "/usr/local/sbin/ip6tables :POSTROUTING ACCEPT [0:0]" Failed Steven. ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Sep 3, 2011, at 12:56 PM, Steven Jan Springl wrote:> Using the attached minimal config. > > Issuing ''shorewall6 start'' works. > > Issuing ''shorewall6 debug start'' produces the following error messages: > > ip6tables: Bad built-in chain name. > ERROR: Command "/usr/local/sbin/ip6tables :POSTROUTING ACCEPT [0:0]" FailedPatch attached. Thanks, Steven -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Saturday 03 September 2011 21:51:44 Tom Eastep wrote:> On Sep 3, 2011, at 12:56 PM, Steven Jan Springl wrote: > > Using the attached minimal config. > > > > Issuing ''shorewall6 start'' works. > > > > Issuing ''shorewall6 debug start'' produces the following error messages: > > > > ip6tables: Bad built-in chain name. > > ERROR: Command "/usr/local/sbin/ip6tables :POSTROUTING ACCEPT [0:0]" > > Failed > > Patch attached. > > Thanks, Steven > > -Tom > > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________Tom Confirmed, the patch has fixed the problem. Thanks. Steven. ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Sep 3, 2011, at 2:14 PM, Steven Jan Springl wrote:> > Confirmed, the patch has fixed the problem. >Thanks, Steven -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev