I realize I should have sent a trace in addition to the information
below. That trace is attached. I used -T in the trace since this seems
to be a perl thing. Parsing of the SOURCE goes wrong in
isolate_source_interface. Given a rule with SOURCE of
"uw:ref.cac.washington.edu" the zone is stripped off leaving
"ref.cac.washington.edu" and in isolate_source_interface it ends up in
the else clause of the code below which is incorrect.
if ( $family == F_IPV4 ) {
if ( $source =~ /^(.+?):(.+)$/ ) {
$iiface = $1;
$inets = $2;
} elsif ( $source =~ /^!?(?:\+|&|~|%|\^|\d+\.)/ ) {
$inets = $source;
} else {
$iiface = $source;
}
This seems like very core parsing so I''m not sure why I''d be
hitting
this and thus don''t feel like I should be trying to second guess the
pattern matching and offer a patch.
-Eric
On Fri, Jan 11, 2013 at 4:47 PM, Eric Horst <erich@uw.edu>
wrote:> We don''t upgrade very often, today I''m going from
4.4.25.2 to
> 4.5.11.2. I''ve upgraded and am working through the "shorewall
check"
> to ensure that our configs are compatible and fixing any changes.
I''ve
> been through the docs and upgrade notes several times on this one.
>
> We have a single-interface firewall which is used to protect the
> firewall host only i.e. a host-based firewall. This is in use on about
> 600 servers.
>
> interfaces:
> - enet physical=+
>
> hosts:
> net enet:0.0.0.0/0
> uw enet:$N_ALL_UW_AFFILIATED
>
> zones:
> host firewall
> uw ipv4
> net ipv4
>
>
> This is the typical format of a rule in the rules file (included by a
> SHELL directive):
> ACCEPT uw:homer.u.washington.edu host 22
>
> After upgrading to 4.5.11.2 and running shorewall check I get this error:
> ERROR: Unknown Interface (homer.u.washington.edu)
> SHELL@/etc/shorewall/rules:17 (line 96)
> from /etc/shorewall/rules (line 17)
>
> This can be fixed by adding the interface name like this:
> ACCEPT uw:enet:ref.cac.washington.edu host 22
>
> Yet the docs imply that the interface is optional (by showing it in
> square brackets) as it always has in the past:
>
> SOURCE -
{zone|zone-list[+]|{all|any}[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list}
>
> I don''t really want to go through all our rules to add this and
try to
> retrain all my people to remember to put it in since it''s supposed
to
> be optional. Did I not not read some recent change that made this
> non-optional? Or are there config elements that now cause it to be
> required?
>
> Thanks,
>
> -Eric
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012