Shorewall users - Nov 2011 - Shorewall 4.4.26 RC 1

RC 1 is now available for testing from the main site
(http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.26-RC1
and
ftp://ftp1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.26-RC1). It
will be available at the other download sites shortly. This release includes all
new functionality planned for 4.4.26.

New Feature included in RC 1

1)  This release introduces optimization category 16. When this 
category is enabled, sequences of ''compatible'' rules are
combined
    into a single rule.

    A sequence of rules is considered compatible if the rules differ
    only in their destination ports and comments.

    A sequence of compatible rules is often generated when macros are
    invoked in sequence.

    The ability to combine adjacent rules is limited by two factors:

    - Destination port lists may only be combined up to a maximum of 15
      ports, where a port-pair counts as two ports.

    - Rules may only be combined until the length of their concatenated
      comments reach 255 characters.

    When either of these limits would be exceeded, the current combined
    rule is emitted and the compiler attempts to combine rules beginning
    with the one that would have exceeded the limit.

    Adjacent combined comments are separated by '', ''. Empty
comments at
    the front of a group of combined comments are replaced by ''Others
    and''. Empty comments at the end of a group of combined comments are
    replaced by ''and others''.

    Example 1: Rules with comments "FOO", <empty> and
"BAR" would result in
               the combined comment "FOO and others, BAR".

    Example 2: Rules with comments <empty>, "FOO" and
"BAR" would reult
    	       in the combined comment "Others and FOO, BAR".

    Note: Optimize level 16 requires "Extended Multi-port Match" in
your
    	  iptables and kernel.

Thank you for testing,
-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

Tom

In the attached config. with OPTIMIZE=16 the following tcrules entry:

SAME  fw  1.0.0.0  tcp  153  :15,3

generates the following iptables rule:

-A setsticko -p 6 -d 1.0.0.0 -m mark --mark 0/0xff -m recent --name sticky001 
--rdest --remove -m mark --mark 0x3 -m recent --name sticky001 --rdest --set -
m multiport --sports ,0:15,3 -m multiport --dports ,153,,153 -m recent  --name 
sticky001 --rdest --update --seconds 300 -j MARK --set-mark 0x3

which produces the following iptables-restore error:

iptables-restore v1.4.12.1: invalid port/service `'' specified

Steven.





------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

On Nov 25, 2011, at 1:15 PM, Steven Jan Springl wrote:
> In the attached config. with OPTIMIZE=16 the following tcrules entry:
> 
> SAME  fw  1.0.0.0  tcp  153  :15,3
> 
> generates the following iptables rule:
> 
> -A setsticko -p 6 -d 1.0.0.0 -m mark --mark 0/0xff -m recent --name
sticky001
> --rdest --remove -m mark --mark 0x3 -m recent --name sticky001 --rdest
--set -
> m multiport --sports ,0:15,3 -m multiport --dports ,153,,153 -m recent 
--name
> sticky001 --rdest --update --seconds 300 -j MARK --set-mark 0x3
> 
> which produces the following iptables-restore error:
> 
> iptables-restore v1.4.12.1: invalid port/service `'' specified
> 
Steven,

The patch I created didn''t apply cleanly to RC1. Here''s a new
Chains.pm.

Thanks,
-Tom



Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

On Nov 25, 2011, at 4:33 PM, Steven Jan Springl wrote:
> 
> Patch applied. No problems to report.
> 

Thanks, Steven

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

On Fri, 2011-11-25 at 18:47 -0800, Tom Eastep wrote:
> On Nov 25, 2011, at 4:33 PM, Steven Jan Springl wrote:
> 
> > 
> > Patch applied. No problems to report.
> > 
The fact that there were duplicate consecutive rules in the
''sticko''
chain troubled me, so I investigated that this morning and found that
Shorewall 4.4.22 broke the SAME target.

The attached patch restores its functionality. I''ve added
Steven''s
latest test case to the regression library to ensure that SAME isn''t
broken again in the future.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d