RC 2 is now available for testing. Changes since RC 1: 1) The priority algorithm for entries in /etc/shorewall/tcfilters was simplified without affecting the external behavior. The algorithm is now documented in shorewall[6]-tcfilters(5). 2) Two additional cases of incorrect quoting when setting VARDIR have been corrected. 3) A down-rev shorewallrc file is now updated by the shorewall-core tarball installer. The original is saved in a .bak file. 4) The getparams program was previously not establishing the total environment of a CLI program like /sbin/shorewall. That has been corrected. 5) Previously, ":" was allowed as the sole contents of the USER/GROUP rules columns with the result that iptables-restore failed. A fatal_error is now raised. 6) Two identical cases have been combined in the Fedora/Redhat SysV init script. Thank you for testing. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 1) The priority algorithm for entries in /etc/shorewall/tcfilters was > simplified without affecting the external behavior. The algorithm is > now documented in shorewall[6]-tcfilters(5).The "example" given in man shorewall-tcfilters may need updating to include the new OPTION. Also, it is worth mentioning somewhere that when HFSC us used without specifying a MARK, then NO priority is defined/used. Then again, even though I have used tos-ack together with HFSC and no MARKing, I still have no priority defined - don''t know whether that is right. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Tom When the following entry is placed in the tcrules file: TTL(+0):P ppp0 eth0 the following iptables rule is generated: -A tcpre -d 192.168.0.0/24 -i ppp0 -j TTL --ttl-inc 0 which produces the following error message: iptables v1.4.15: TTL: bad value for option "--ttl-inc", or out of range (1-255). Note the same error occurs if ''TTL(-0):P'' is specified. Steven. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/23/12 3:05 PM, "Steven Jan Springl" <steven@springl.ukfsn.org> wrote:> >When the following entry is placed in the tcrules file: > >TTL(+0):P ppp0 eth0 > >the following iptables rule is generated: > >-A tcpre -d 192.168.0.0/24 -i ppp0 -j TTL --ttl-inc 0 > >which produces the following error message: > >iptables v1.4.15: TTL: bad value for option "--ttl-inc", or out of range >(1-255). > >Note the same error occurs if ''TTL(-0):P'' is specified.Steven, This patch correct the problem and a similar problem with HL() in Shorewall6. Thanks, -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Monday 24 Sep 2012 01:23:59 Tom Eastep wrote:> On 9/23/12 3:05 PM, "Steven Jan Springl" <steven@springl.ukfsn.org> wrote: > >When the following entry is placed in the tcrules file: > > > >TTL(+0):P ppp0 eth0 > > > >the following iptables rule is generated: > > > >-A tcpre -d 192.168.0.0/24 -i ppp0 -j TTL --ttl-inc 0 > > > >which produces the following error message: > > > >iptables v1.4.15: TTL: bad value for option "--ttl-inc", or out of range > >(1-255). > > > >Note the same error occurs if ''TTL(-0):P'' is specified. > > Steven, > > This patch correct the problem and a similar problem with HL() in > Shorewall6. > > Thanks, > -Tom > You do not need a parachute to skydive. You only need a parachute to > skydive twice.Tom I can confirm the patch does correct the issue, however the following tcrules file entries produce the same error: TTL(+00):P ppp0 eth0 TTL(-00):P ppp0 eth0 Additionally the following tcrules file entry is rejected by Shorewall: TTL(0):P ppp0 eth0 But the following entry is allowed by Shorewall and does not produce an iptables-restore error: TTL(00):P ppp0 eth0 Steven. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/24/2012 01:58 PM, Steven Jan Springl wrote:> On Monday 24 Sep 2012 01:23:59 Tom Eastep wrote: >> On 9/23/12 3:05 PM, "Steven Jan Springl" <steven@springl.ukfsn.org> wrote: >>> When the following entry is placed in the tcrules file: >>> >>> TTL(+0):P ppp0 eth0 >>> >>> the following iptables rule is generated: >>> >>> -A tcpre -d 192.168.0.0/24 -i ppp0 -j TTL --ttl-inc 0 >>> >>> which produces the following error message: >>> >>> iptables v1.4.15: TTL: bad value for option "--ttl-inc", or out of range >>> (1-255). >>> >>> Note the same error occurs if ''TTL(-0):P'' is specified. >> >> Steven, >> >> This patch correct the problem and a similar problem with HL() in >> Shorewall6. >> >> Thanks, >> -Tom >> You do not need a parachute to skydive. You only need a parachute to >> skydive twice. > > Tom > > I can confirm the patch does correct the issue, however the following tcrules > file entries produce the same error: > > TTL(+00):P ppp0 eth0 > TTL(-00):P ppp0 eth0 > > Additionally the following tcrules file entry is rejected by Shorewall: > > TTL(0):P ppp0 eth0 > > But the following entry is allowed by Shorewall and does not produce an > iptables-restore error: > > TTL(00):P ppp0 eth0Steven, This patch seems to do the right thing in all cases. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Monday 24 Sep 2012 22:24:47 Tom Eastep wrote:> On 09/24/2012 01:58 PM, Steven Jan Springl wrote: > > On Monday 24 Sep 2012 01:23:59 Tom Eastep wrote: > >> On 9/23/12 3:05 PM, "Steven Jan Springl" <steven@springl.ukfsn.org>wrote:> >>> When the following entry is placed in the tcrules file: > >>> > >>> TTL(+0):P ppp0 eth0 > >>> > >>> the following iptables rule is generated: > >>> > >>> -A tcpre -d 192.168.0.0/24 -i ppp0 -j TTL --ttl-inc 0 > >>> > >>> which produces the following error message: > >>> > >>> iptables v1.4.15: TTL: bad value for option "--ttl-inc", or out of > >>> range (1-255). > >>> > >>> Note the same error occurs if ''TTL(-0):P'' is specified. > >> > >> Steven, > >> > >> This patch correct the problem and a similar problem with HL() in > >> Shorewall6. > >> > >> Thanks, > >> -Tom > >> You do not need a parachute to skydive. You only need a parachute to > >> skydive twice. > > > > Tom > > > > I can confirm the patch does correct the issue, however the following > > tcrules file entries produce the same error: > > > > TTL(+00):P ppp0 eth0 > > TTL(-00):P ppp0 eth0 > > > > Additionally the following tcrules file entry is rejected by Shorewall: > > > > TTL(0):P ppp0 eth0 > > > > But the following entry is allowed by Shorewall and does not produce an > > iptables-restore error: > > > > TTL(00):P ppp0 eth0 > > Steven, > > This patch seems to do the right thing in all cases. > > Thanks, > -TomTom Confirmed, the patch fixes all the issues. However the follow tcrules entry: TTL():P ppp0 eth0 produces the following messages: Use of uninitialized value $1 in string eq at /usr/share/shorewall/Shorewall/Tc.pm line 401, <$currentfile> line 16. Use of uninitialized value $2 in string eq at /usr/share/shorewall/Shorewall/Tc.pm line 401, <$currentfile> line 16. Use of uninitialized value $param in abs at /usr/share/shorewall/Shorewall/Tc.pm line 401, <$currentfile> line 16. Use of uninitialized value $1 in pattern match (m//) at /usr/share/shorewall/Shorewall/Tc.pm line 403, <$currentfile> line 16. Use of uninitialized value $1 in pattern match (m//) at /usr/share/shorewall/Shorewall/Tc.pm line 405, <$currentfile> line 16. Steven. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/24/12 3:08 PM, "Steven Jan Springl" <steven@springl.ukfsn.org> wrote:>Confirmed, the patch fixes all the issues. However the follow tcrules >entry: > >TTL():P ppp0 eth0 > >produces the following messages: > >Use of uninitialized value $1 in string eq at >/usr/share/shorewall/Shorewall/Tc.pm line 401, <$currentfile> line 16. > >Use of uninitialized value $2 in string eq at >/usr/share/shorewall/Shorewall/Tc.pm line 401, <$currentfile> line 16. > >Use of uninitialized value $param in abs at >/usr/share/shorewall/Shorewall/Tc.pm line 401, <$currentfile> line 16. > >Use of uninitialized value $1 in pattern match (m//) at >/usr/share/shorewall/Shorewall/Tc.pm line 403, <$currentfile> line 16. > >Use of uninitialized value $1 in pattern match (m//) at >/usr/share/shorewall/Shorewall/Tc.pm line 405, <$currentfile> line 16.Steven, I hope "3''s the charm" with this. Thanks, -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Tuesday 25 Sep 2012 00:16:34 Tom Eastep wrote:> On 9/24/12 3:08 PM, "Steven Jan Springl" <steven@springl.ukfsn.org> wrote: > >Confirmed, the patch fixes all the issues. However the follow tcrules > >entry: > > > >TTL():P ppp0 eth0 > > > >produces the following messages: > > > >Use of uninitialized value $1 in string eq at > >/usr/share/shorewall/Shorewall/Tc.pm line 401, <$currentfile> line 16. > > > >Use of uninitialized value $2 in string eq at > >/usr/share/shorewall/Shorewall/Tc.pm line 401, <$currentfile> line 16. > > > >Use of uninitialized value $param in abs at > >/usr/share/shorewall/Shorewall/Tc.pm line 401, <$currentfile> line 16. > > > >Use of uninitialized value $1 in pattern match (m//) at > >/usr/share/shorewall/Shorewall/Tc.pm line 403, <$currentfile> line 16. > > > >Use of uninitialized value $1 in pattern match (m//) at > >/usr/share/shorewall/Shorewall/Tc.pm line 405, <$currentfile> line 16. > > Steven, > > I hope "3''s the charm" with this. > > Thanks, > -Tom > You do not need a parachute to skydive. You only need a parachute to > skydive twice.Tom Confirmed, the patch has fixed the issue. I have completed my testing of RC2. Steven. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 9/24/12 4:57 PM, "Steven Jan Springl" <steven@springl.ukfsn.org> wrote:> >Confirmed, the patch has fixed the issue. > >I have completed my testing of RC2.Thanks, Steven! -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/