RC 1 is now available for testing. Problems corrected since Beta 3: 1) Added some missing VARDIR handling to the installers to handle the case where a new install is being done and root''s ~/.shorewallrc is pre-2.5.8. 2) The legacy blacklist chains are no longer created when there is no ''blacklist'' file. Enhancements since Beta 3: 1) A PRIORITY column has been added to the tcfilter files. See shorewall-tcfilters(5) and shorewall6-tcfilters(5) for details. As part of this change, the method of assigning priorities to filters where the PRIORITY is not specified has changed. Previously, all ipv4 filters were assigned priority 10 while all ipv6 filters were assigned priority 11. Now, a priority high-water priority is maintained for each interface; the high-water priority is initialized to 1. Each rule without an explicit PRIORITY is assigned the high-water priority and the high-water priority is incremented by one. If an explicit PRIORITY is specified and that value is >= the high-water value, then the high-water value is set to the specified PRIORITY plus 1. A fatal error is raised if the high-water value exceeds 65535. 2) It is now possible to explicitly assign priorities to classification filters created by shorewall for the following: - Filter that classifies packets based on their firewall mark value. - Filter that classifies ACK packets via the ''tcp-ack'' class option. - Filter that classifies packets based on TOS value. Example: #DEVICE MARK RATE: CEIL PRIORITY OPTIONS # DMAX:UMAX eth0 1:50 5*full/10 full 1 tcp-ack:15,\ tos-minimize-delay:20 In this example, the classifier filters would be evaluated in this order: - tcp-ack (priority 15) - tos-minimize-delay (priority 20) - Mark value 1 (priority 50) In other words, the filters are evaluated in ascending priority order. If one filter doesn''t match, the packet is passed to the next filter. See shorewall-tcclasses(5) and shorewall6-tcclasses(5) for additional information. 3) The PRIORITY column in the tcclasses file is now optional for HFSC classes. If that priority is omitted, then an explicit priority must be specified for the MARK value and for the ''tcp-ack'' and ''tos*'' options. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> See shorewall-tcclasses(5) and shorewall6-tcclasses(5) for > additional information. >From man shorewall-tcfilters: "Added in Shorewall 4.5.8. Specifies the rule priority. If not given, priority 10 is assumed." That''s wrong and needs changing. >From man shorewall-tcdevices: "OPTIONS - {-|{classify|hfsc|linklayer={ethernet|atm|adsl}|tsize=tsize|mtu=mtu|mpu=mpu|overhead=overhead} ,...}" - incomplete. "htb" is also allowed and needs to be explained. Further down on the same man page:The default priority values used by other Shorewall-generated filters are as follows: * Classify by packet mark - ( class priority << 8 ) | 20. * Ingress policing - 10 * Simple TC ACK packets - 1 * Complex TC ACK packets - ( class priority << 8 ) | 10. * Classify by TOS - ( class priority << 8 ) | 15. * Class with ''occurs'' - 65535 Neither of which applies in my test case & real life scenario as I do *not* use MARK (see my previous post on the subject): 1. Class priority is assigned as specified in the PRIORITY column in tcclasses, which is what I wanted in the first place. 2. Filter priority is specified as 1-7 (in that order) for each "filter add" statement if no PRIORITY value is specified in tcfilters. 3. Filter priority is assigned as specified in the PRIORITY column in tcfilters, which is, again, what I wanted.> 3) The PRIORITY column in the tcclasses file is now optional for HFSC > classes. If that priority is omitted, then an explicit priority > must be specified for the MARK value and for the ''tcp-ack'' and > ''tos*'' options.You also need to explain my case where I do *not* use MARK, but CLASSIFY and PRIORITY instead. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> Problems corrected since Beta 3: > > 1) Added some missing VARDIR handling to the installers to handle the > case where a new install is being done and root''s ~/.shorewallrc > is pre-2.5.8.One other thing: in various places you have substituted VARDIR=''${VARLIB}/${PRODUCT}'' (which was pure nonsense as single commas are interpreted literally by bash with no variable substitution taking place) with VARDIR=${VARLIB}/${PRODUCT}. What happens if I have a space in VARLIB? The correct assignment should really be VARDIR="${VARLIB}/${PRODUCT}". ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/13/2012 04:56 PM, Mr Dash Four wrote:>> See shorewall-tcclasses(5) and shorewall6-tcclasses(5) for >> additional information. >>From man shorewall-tcfilters: "Added in Shorewall 4.5.8. Specifies the rule priority. If not given, priority 10 is assumed." That''s wrong and needs changing.Yep.>>From man shorewall-tcdevices: "OPTIONS - {-|{classify|hfsc|linklayer={ethernet|atm|adsl}|tsize=tsize|mtu=mtu|mpu=mpu|overhead=overhead} ,...}" - incomplete. "htb" is also allowed and needs to be explained. Further down on the same man page: > > The default priority values used by other Shorewall-generated filters are as follows: > * Classify by packet mark - ( class priority << 8 ) | 20. > * Ingress policing - 10 > * Simple TC ACK packets - 1 > * Complex TC ACK packets - ( class priority << 8 ) | 10. > * Classify by TOS - ( class priority << 8 ) | 15. > * Class with ''occurs'' - 65535 > > Neither of which applies in my test case & real life scenario as I do *not* use MARK (see my previous post on the subject):This is simply documenting the behavior that has been in effect since at least Shorewall 4.4.6 (released January 2010).> > 1. Class priority is assigned as specified in the PRIORITY column in tcclasses, which is what I wanted in the first place.And which has been the case since day 1 for HTB. Since priority is not supported for HFSC, the priority isn''t assigned to those classes.> 2. Filter priority is specified as 1-7 (in that order) for each "filter add" statement if no PRIORITY value is specified in tcfilters.Which is now the behavior. Although my testing indicates that where there are multiple filters at the same priority, it''s ''first match wins''.> 3. Filter priority is assigned as specified in the PRIORITY column in tcfilters, which is, again, what I wanted. > >> 3) The PRIORITY column in the tcclasses file is now optional for HFSC >> classes. If that priority is omitted, then an explicit priority >> must be specified for the MARK value and for the ''tcp-ack'' and >> ''tos*'' options. > You also need to explain my case where I do *not* use MARK, but CLASSIFY and PRIORITY instead.I thought it was self-evident that if you don''t use MARK, ''tcp-ack'' or ''tos*'', then you don''t need the priority. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/13/2012 05:10 PM, Mr Dash Four wrote:>> Problems corrected since Beta 3: >> >> 1) Added some missing VARDIR handling to the installers to handle >> the case where a new install is being done and root''s >> ~/.shorewallrc is pre-2.5.8.> One other thing: in various places you have substituted > VARDIR=''${VARLIB}/${PRODUCT}'' (which was pure nonsense as single > commas are interpreted literally by bash with no variable > substitution taking place) with VARDIR=${VARLIB}/${PRODUCT}. What > happens if I have a space in VARLIB? The correct assignment should > really be VARDIR="${VARLIB}/${PRODUCT}". >Indeed -- VARDIR=''${VARLIB}/${PRODUCT}'' was only appropriate in the configure programs and I copied it unchanged into the installers. My bad. As I''ve stated before, there are many places in the code that break if one of these directories has a space in its name, and I will only spend what time that I have left on this earth worrying about that problem when I have absolutely nothing else to do. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Tom The following rules file entry: ACCEPT fw dmz tcp 22 - - - : generates the following iptables rule: -A fw2dmz -p 6 --dport 22 -m owner -j ACCEPT which produces the following error message: iptables v1.4.15: owner: At least one of --uid-owner, --gid-owner or --socket- exists is required Steven. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/16/12 3:05 PM, Steven Jan Springl wrote:> The following rules file entry: > > ACCEPT fw dmz tcp 22 - - - : > > generates the following iptables rule: > > -A fw2dmz -p 6 --dport 22 -m owner -j ACCEPT > > which produces the following error message: > > iptables v1.4.15: owner: At least one of --uid-owner, --gid-owner or --socket- > exists is requiredThe attached patch resolves this issue. Thanks, Steven. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On Monday 17 Sep 2012 00:26:36 Tom Eastep wrote:> On 9/16/12 3:05 PM, Steven Jan Springl wrote: > > The following rules file entry: > > > > ACCEPT fw dmz tcp 22 - - - : > > > > generates the following iptables rule: > > > > -A fw2dmz -p 6 --dport 22 -m owner -j ACCEPT > > > > which produces the following error message: > > > > iptables v1.4.15: owner: At least one of --uid-owner, --gid-owner or > > --socket- exists is required > > The attached patch resolves this issue. > > Thanks, Steven. > > -TomTom Confirmed, the patch resolves the issue. Thanks. Steven. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/16/12 5:02 PM, Steven Jan Springl wrote:> > Confirmed, the patch resolves the issue. >Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> As I''ve stated before, there are many places in the code that break if > one of these directories has a space in its name, and I will only spend > what time that I have left on this earth worrying about that problem > when I have absolutely nothing else to do.That''s fair enough, though you, at least initially, decided to use single instead of double quotes for a reason - maybe experimenting with your bash skills? ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html