RC 1 is now available for testing. Problems Corrected since Beta 3: 1) In Beta 3, if a rule with a SWITCH that included the chain name did not survive optimization, then ''echo'' would issue an error when trying to initialize the corresponding Netfilter condition. New/Changed Features since Beta 3: 1) The compiler allows overriding the setting of ''inline'' on the Shorewall standard actions within /etc/shorewall[6]/actions. Beware, however, that some of them don''t work when in-lined so the compiler will ignore the ''inline'' option with a warning for those actions: Broadcast DropSmurfs Invalid NonSyn RST TCPFlags 2) In SWITCH columns, the name of the current Netfilter chain will be substituted for ''@0'' and ''@{0}''. Example (using alternative rule column specification): #ACTION SOURCE DEST ... NFLOG net fw ; switch:@{0}_logall The name of the switch will be ''net2fw_logall''. Note 1: Non-alphanumeric characters other than ''_'' and ''-'' will be deleted from the chain name before substitution. Note 2: The chain name substituted is the one to which the rule is initially added. The rule may end up in a different chain due to optimization. 14) Optimization level 16 now suppresses duplicate rules in chains from all tables (it previously only suppressed duplicates in the ''raw'' table). Non-adjacent rules containing ''mark'', ''connmark'', ''dscp'', ''ecn'', ''set'', ''tos'' or ''u32'' matches are not suppressed: Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net/
> Thank you for testing,I''ll be able to do a bit of testing after Tuesday. ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net/
On 12/2/12 3:37 PM, Mr Dash Four wrote:> >> Thank you for testing, > I''ll be able to do a bit of testing after Tuesday.Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: DESIGN Expert tips on starting your parallel project right. http://goparallel.sourceforge.net/
Tom In the attached config. rule: self(:) all all udp 900 produces the following messages: Use of uninitialized value $target in pattern match (m//) at /usr/share/shorewall/Shorewall/Rules.pm line 1146, <$currentfile> line 4. Use of uninitialized value $target in concatenation (.) or string at /usr/share/shorewall/Shorewall/Rules.pm line 1148, <$currentfile> line 4. Steven. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/4/12 1:03 PM, Steven Jan Springl wrote:> In the attached config. rule: > > self(:) all all udp 900 > > produces the following messages: > > Use of uninitialized value $target in pattern match (m//) at > /usr/share/shorewall/Shorewall/Rules.pm line 1146, <$currentfile> line 4. > > Use of uninitialized value $target in concatenation (.) or string at > /usr/share/shorewall/Shorewall/Rules.pm line 1148, <$currentfile> line 4. >The attached patch seems to resolve the issue. Thanks Steven, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On Wednesday 05 Dec 2012 04:08:37 Tom Eastep wrote:> On 12/4/12 1:03 PM, Steven Jan Springl wrote: > > In the attached config. rule: > > > > self(:) all all udp 900 > > > > produces the following messages: > > > > Use of uninitialized value $target in pattern match (m//) at > > /usr/share/shorewall/Shorewall/Rules.pm line 1146, <$currentfile> line 4. > > > > Use of uninitialized value $target in concatenation (.) or string at > > /usr/share/shorewall/Shorewall/Rules.pm line 1148, <$currentfile> line 4. > > The attached patch seems to resolve the issue. > > Thanks Steven, > -TomTom Confirmed, the patch fixes the issue. Thanks. Steven. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
> I''ll be able to do a bit of testing after Tuesday.This is what I was able to find out so far: 1. action.my_log ~~~~~~~~~~~~~ $1 rules ~~~~~ my_log(LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence)):debug(uid,tcp_options,ip_options,macdecode,tcp_sequence) $FW net gets me "ERROR: Invalid ACTION (LOG:info(uid)" 2. action.my_log78901234567890 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ $1 3. action.C_ACTION (inline) ~~~~~~~~~~~~~~~~~~~~~~~~ $1 rules ~~~~~ C_ACTION(dropBcast) $FW net dropBcast $FW net generates: [...] -A fw2net -j dropBcast -m comment --comment "C_ACTION" -A fw2net -j dropBcast [...] Two issues here: 1. the above 2 statements are essentially the same, bar the (auto-generated) comment (OPTIMIZE is set at 31); and 2. It would be nice if I could disable the auto-generated comment by shorewall (new option in "actions"?) and verify that OPTIMIZE works to remove the duplicate statements in inline actions (that optimisation seems to work for normal actions). 4. rules ~~~~~ my_log78901234567890(LOG:debug):info $FW net gets me (note the extra space after "678") WARNING: Log Prefix shortened to "Shorewall:my_log789012345678 " and then generates a rule containing (again, note the extra space) ... --log-prefix "Shorewall:my_log789012345678 " 5. rules ~~~~~ circ1(NonSyn) $FW net gets me "ERROR: Invalid Action (NonSyn) in inline action" (circ1 is indeed inlined) - isn''t that supposed to be (silently) ignored? rules ~~~~~ circ1(RST) $FW net gives no error, but the following rule is produced: -A fw2net -p 6 --tcp-flags RST RST, -j DROP -m comment --comment "circ1" Is the comma after the second "RST" supposed to be there? ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/5/12 5:34 PM, Mr Dash Four wrote:> 4. > > rules > ~~~~~ > my_log78901234567890(LOG:debug):info $FW net > > gets me (note the extra space after "678") WARNING: Log Prefix shortened to "Shorewall:my_log789012345678 " > and then generates a rule containing (again, note the extra space) ... --log-prefix "Shorewall:my_log789012345678 " >What is your LOGFORMAT setting? Does it end with a space character? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
> What is your LOGFORMAT setting? Does it end with a space character?LOGFORMAT="Shorewall:%s:%s:" ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/05/2012 05:34 PM, Mr Dash Four wrote:> >> I''ll be able to do a bit of testing after Tuesday. > This is what I was able to find out so far: > > 1. > > action.my_log > ~~~~~~~~~~~~~ > $1 > > rules > ~~~~~ > my_log(LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence)):debug(uid,tcp_options,ip_options,macdecode,tcp_sequence) $FW net > > gets me "ERROR: Invalid ACTION (LOG:info(uid)"Patch PARAM.patch attached.> > 2. > > action.my_log78901234567890 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > $1 > > 3. > > action.C_ACTION (inline) > ~~~~~~~~~~~~~~~~~~~~~~~~ > $1 > > rules > ~~~~~ > C_ACTION(dropBcast) $FW net > dropBcast $FW net > > > generates: > > [...] > -A fw2net -j dropBcast -m comment --comment "C_ACTION" > -A fw2net -j dropBcast > [...] > > Two issues here: 1. the above 2 statements are essentially the same, bar the (auto-generated) comment (OPTIMIZE is set at 31); and 2. It would be nice if I could disable the auto-generated comment by shorewall (new option in "actions"?) and verify that OPTIMIZE works to remove the duplicate statements in inline actions (that optimisation seems to work for normal actions). >Number 1 will have to wait for 4.5.11. For number 2, have you tried simply placing an empty COMMENT line as the first line of C_ACTION?> 4. > > rules > ~~~~~ > my_log78901234567890(LOG:debug):info $FW net > > gets me (note the extra space after "678") WARNING: Log Prefix shortened to "Shorewall:my_log789012345678 " > and then generates a rule containing (again, note the extra space) ... --log-prefix "Shorewall:my_log789012345678 " >The space is there to separate the tag from the following ''IN='' in the log message; without it, the log message reads ...Shorewall:my_log7890123456789IN=eth0....> 5. > > rules > ~~~~~ > circ1(NonSyn) $FW net > > gets me "ERROR: Invalid Action (NonSyn) in inline action" (circ1 is indeed inlined) - isn''t that supposed to be (silently) ignored?Looks like there is no target named ''nonSyn'' (note that the standard shorewall action is ''NotSyn'').> > rules > ~~~~~ > circ1(RST) $FW net > > gives no error, but the following rule is produced: > -A fw2net -p 6 --tcp-flags RST RST, -j DROP -m comment --comment "circ1" > > Is the comma after the second "RST" supposed to be there?Obviously not. COMMA.patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/06/2012 08:16 AM, Tom Eastep wrote:> On 12/05/2012 05:34 PM, Mr Dash Four wrote: >> >>> I''ll be able to do a bit of testing after Tuesday. >> This is what I was able to find out so far: >> >> 1. >> >> action.my_log >> ~~~~~~~~~~~~~ >> $1 >> >> rules >> ~~~~~ >> my_log(LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence)):debug(uid,tcp_options,ip_options,macdecode,tcp_sequence) >> $FW net >> >> gets me "ERROR: Invalid ACTION (LOG:info(uid)" > > Patch PARAM.patch attached.My apologies -- that patch doesn''t apply cleanly against RC 1. Patch PARAM1.patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
> Patch PARAM.patch attached.With the PARAM1.patch applied... action.circ1 ~~~~~~~~~~~~ $1 $2 $3 rules ~~~~~ circ1(LOG:info,$FW,net) I get "ERROR: Unknown Interface (fw)" Also: actions ~~~~~~~ circ2 inline circ3 inline action.circ2 ~~~~~~~~~~~~ circ3($1) action.circ3 ~~~~~~~~~~~~ $1 rules ~~~~~ circ2(LOG:info) $FW net I get "ERROR: Invalid Action (circ2(LOG:info)) in inline action".> For number 2, have you tried simply placing an empty COMMENT line as the > first line of C_ACTION?Yep, that does the trick.> The space is there to separate the tag from the following ''IN='' in the > log message; without it, the log message reads > ...Shorewall:my_log7890123456789IN=eth0....I get the same issue with NFLOG (in the form of --nflog-prefix "Shorewall:log789012345678 ") where there is no such thing as "IN=", at least not in 99% of all cases anyway.> Looks like there is no target named ''nonSyn'' (note that the standard > shorewall action is ''NotSyn'').Looks like I shouldn''t be relying on your shorewall announcements (where you used "NonSyn") and should stick to reading the relevant man pages instead. "NotSyn" works as expected though.> Obviously not. COMMA.patch attached.Works as expected this time. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/6/12 4:37 PM, "Mr Dash Four" <mr.dash.four@googlemail.com> wrote:> >> Patch PARAM.patch attached. >With the PARAM1.patch applied... > >action.circ1 >~~~~~~~~~~~~ >$1 $2 $3 > >rules >~~~~~ >circ1(LOG:info,$FW,net) > >I get "ERROR: Unknown Interface (fw)"Not a defect -- Within the body of a non-inlined action, the SOURCE column cannot include a zone name.> >Also: > >actions >~~~~~~~ >circ2 inline >circ3 inline > >action.circ2 >~~~~~~~~~~~~ >circ3($1) > >action.circ3 >~~~~~~~~~~~~ >$1 > >rules >~~~~~ >circ2(LOG:info) $FW net > >I get "ERROR: Invalid Action (circ2(LOG:info)) in inline action".I''ll look into that one.> >> The space is there to separate the tag from the following ''IN='' in the >> log message; without it, the log message reads >> ...Shorewall:my_log7890123456789IN=eth0.... >I get the same issue with NFLOG (in the form of --nflog-prefix >"Shorewall:log789012345678 ") where there is no such thing as "IN=", at >least not in 99% of all cases anyway.The syslog emulator in ulogd2 places IN= in every message and faithfully reproduces this awkward xt_LOG behavior; thus I''m not changing it. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
> Not a defect -- Within the body of a non-inlined action, the SOURCE column > cannot include a zone name.Didn''t know that. Should I assume (and test) for destination zones then?>> I get the same issue with NFLOG (in the form of --nflog-prefix >> "Shorewall:log789012345678 ") where there is no such thing as "IN=", at >> least not in 99% of all cases anyway. > > The syslog emulator in ulogd2 places IN= in every message and faithfully > reproduces this awkward xt_LOG behavior; thus I''m not changing it.xt_LOG is not the only filter in ulogd2. In fact, it is one of about a dozen others. The likelihood that NFLOg''s xt_LOG will be used instead of the LOG target is slim-to-none. Why is it so difficult for you to change this and account for the extra space then? ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/6/12 6:43 PM, "Mr Dash Four" <mr.dash.four@googlemail.com> wrote:> > >> Not a defect -- Within the body of a non-inlined action, the SOURCE >>column >> cannot include a zone name. >Didn''t know that. Should I assume (and test) for destination zones then?Only in non-inlined actions.> >>> I get the same issue with NFLOG (in the form of --nflog-prefix >>> "Shorewall:log789012345678 ") where there is no such thing as "IN=", at >>> least not in 99% of all cases anyway. >> >> The syslog emulator in ulogd2 places IN= in every message and faithfully >> reproduces this awkward xt_LOG behavior; thus I''m not changing it. >xt_LOG is not the only filter in ulogd2. In fact, it is one of about a >dozen others. The likelihood that NFLOg''s xt_LOG will be used instead of >the LOG target is slim-to-none.I use it! And I''m not going to break my own firewall. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/6/12 5:50 PM, "Tom Eastep" <teastep@shorewall.net> wrote:>> >>Also: >> >>actions >>~~~~~~~ >>circ2 inline >>circ3 inline >> >>action.circ2 >>~~~~~~~~~~~~ >>circ3($1) >> >>action.circ3 >>~~~~~~~~~~~~ >>$1 >> >>rules >>~~~~~ >>circ2(LOG:info) $FW net >> >>I get "ERROR: Invalid Action (circ2(LOG:info)) in inline action". > >I''ll look into that one.Patch TARGET.patch attached -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
On 12/6/12 7:03 PM, "Tom Eastep" <teastep@shorewall.net> wrote:>On 12/6/12 6:43 PM, "Mr Dash Four" <mr.dash.four@googlemail.com> wrote: > >> >> >>> Not a defect -- Within the body of a non-inlined action, the SOURCE >>>column >>> cannot include a zone name. >>Didn''t know that. Should I assume (and test) for destination zones then? > >Only in non-inlined actions.Check that -- in ANY action body, zones are not allowed. They are only allowed in rules and in macro bodies. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
> I use it! And I''m not going to break my own firewall. >Where have I asked you to or insisted on "breaking your own firewall"? If there is a bug in xt_LOG (or its corresponding ulogd2 filter module) then it should be fixed. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
>> Only in non-inlined actions. >> > > Check that -- in ANY action body, zones are not allowed. They are only > allowed in rules and in macro bodies. >Noted. ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d