RC 1 is now available for testing from the main site (http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.26-RC1 and ftp://ftp1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.26-RC1). It will be available at the other download sites shortly. This release includes all new functionality planned for 4.4.26. New Feature included in RC 1 1) This release introduces optimization category 16. When this category is enabled, sequences of ''compatible'' rules are combined into a single rule. A sequence of rules is considered compatible if the rules differ only in their destination ports and comments. A sequence of compatible rules is often generated when macros are invoked in sequence. The ability to combine adjacent rules is limited by two factors: - Destination port lists may only be combined up to a maximum of 15 ports, where a port-pair counts as two ports. - Rules may only be combined until the length of their concatenated comments reach 255 characters. When either of these limits would be exceeded, the current combined rule is emitted and the compiler attempts to combine rules beginning with the one that would have exceeded the limit. Adjacent combined comments are separated by '', ''. Empty comments at the front of a group of combined comments are replaced by ''Others and''. Empty comments at the end of a group of combined comments are replaced by ''and others''. Example 1: Rules with comments "FOO", <empty> and "BAR" would result in the combined comment "FOO and others, BAR". Example 2: Rules with comments <empty>, "FOO" and "BAR" would reult in the combined comment "Others and FOO, BAR". Note: Optimize level 16 requires "Extended Multi-port Match" in your iptables and kernel. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
Tom In the attached config. with OPTIMIZE=16 the following tcrules entry: SAME fw 1.0.0.0 tcp 153 :15,3 generates the following iptables rule: -A setsticko -p 6 -d 1.0.0.0 -m mark --mark 0/0xff -m recent --name sticky001 --rdest --remove -m mark --mark 0x3 -m recent --name sticky001 --rdest --set - m multiport --sports ,0:15,3 -m multiport --dports ,153,,153 -m recent --name sticky001 --rdest --update --seconds 300 -j MARK --set-mark 0x3 which produces the following iptables-restore error: iptables-restore v1.4.12.1: invalid port/service `'' specified Steven. ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
On Nov 25, 2011, at 1:15 PM, Steven Jan Springl wrote:> In the attached config. with OPTIMIZE=16 the following tcrules entry: > > SAME fw 1.0.0.0 tcp 153 :15,3 > > generates the following iptables rule: > > -A setsticko -p 6 -d 1.0.0.0 -m mark --mark 0/0xff -m recent --name sticky001 > --rdest --remove -m mark --mark 0x3 -m recent --name sticky001 --rdest --set - > m multiport --sports ,0:15,3 -m multiport --dports ,153,,153 -m recent --name > sticky001 --rdest --update --seconds 300 -j MARK --set-mark 0x3 > > which produces the following iptables-restore error: > > iptables-restore v1.4.12.1: invalid port/service `'' specified >Steven, The patch I created didn''t apply cleanly to RC1. Here''s a new Chains.pm. Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
On Nov 25, 2011, at 4:33 PM, Steven Jan Springl wrote:> > Patch applied. No problems to report. >Thanks, Steven -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
On Fri, 2011-11-25 at 18:47 -0800, Tom Eastep wrote:> On Nov 25, 2011, at 4:33 PM, Steven Jan Springl wrote: > > > > > Patch applied. No problems to report. > >The fact that there were duplicate consecutive rules in the ''sticko'' chain troubled me, so I investigated that this morning and found that Shorewall 4.4.22 broke the SAME target. The attached patch restores its functionality. I''ve added Steven''s latest test case to the regression library to ensure that SAME isn''t broken again in the future. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d