There has been quite a bit of testing this weekend resulting in a number
of changes in the code. I have uploaded RC 1 so we can all get back on
the same code base.
Problems Corrected since Beta 4:
1) The Shorewall6 actions.std has been updated.
2) The handling of audited *_DISPOSITION has been corrected.
3) ACCEPT and A_ACCEPT are now rejected as settings for
INVALID_DISPOSITION. That was the documented behavior in Beta 4 but
the code didn''t match the documentation.
4) The bogus ''use Shorewall::Rules qw( process_rule1 )''
directives
have been removed from several action files.
5) In Beta 4, a ''?set @chain'' directive caused rules to be
omitted and
an invalid rule to be generated.
6) Manpage clarifications:
- shorewall[6]-accounting
The use of ipsets is documented.
The default CHAIN when that column is omitted is clarified.
- Configuration file basics
The format of <variable> in a ?set directive is clarified.
7) When source and/or destination ports are specified in an RST or
NotSyn rule, a fatal error is no longer raised.
8) The TCPFlags action now generates the correct rules.
9) UNTRACKED_DISPOSITION=ACCEPT is now handled correctly.
New/changed
Features since Beta 4:
1) The compiler now attempts to omit conntrack match rules that can
never match. It also attempts to suppress redundant conntrack
matches.
2) A ''New'' standard action has been added that matches
packets in the
NEW connection tracking state.
3) The $matches parameter to perl_action_helper() no longer needs to
include a trailing space.
4) The shorewallrc.archlinux file now assumes that systemd is
installed (Evangelos Foutras).
5) When the ''CONNTRACK match'' capability is present (as it is
in all
current distros), optimize level 16 now combines adjacent rules
that differ only in the conntrack states matched.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
> There has been quite a bit of testing this weekend resulting in a number > of changes in the code. I have uploaded RC 1 so we can all get back on > the same code base. >I''ll have some more time the day after tomorrow (Tue) and will give it a proper go then (there were a lot of things I wanted to test yesterday - particularly with regards to actions and states, but I ran out of time).> 2) A ''New'' standard action has been added that matches packets in the > NEW connection tracking state. >This would be interesting to test as currently (prior to this RC) you don''t use a specific cstate match for NEW, but employ a process of elimination of all the other states, leaving NEW last. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
Tom In the attached config: Rule: New(ACCEPT) lan fw udp 123 produces the following error message: ERROR: Undefined subroutine &Shorewall::User::check_state called at /usr/share/shorewall/action.New line 46. --------------------------------- Rule: Untracked(ACCEPT) lan fw udp 123 produces the following error messages: ERROR: "process_rule1" is not exported by the Shorewall::Rules module Can''t continue after import errors at /usr/share/shorewall/action.Untracked line 39 BEGIN failed--compilation aborted at /usr/share/shorewall/action.Untracked line 39. --------------------------------- Rule: Related(ACCEPT) lan fw udp 123 produces the following error message: ERROR: Global symbol "$check" requires explicit package name at /usr/share/shorewall/action.Related line 44. --------------------------------- Rule: Established(ACCEPT) lan fw udp 123 produces the following error message: ERROR: Undefined subroutine &Shorewall::User::check_state called at /usr/share/shorewall/action.Established line 42. Steven. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
On 02/03/2013 02:56 PM, Steven Jan Springl wrote:> Tom > > In the attached config: > > Rule: > > New(ACCEPT) lan fw udp 123 > > produces the following error message: > > ERROR: Undefined subroutine &Shorewall::User::check_state called at > /usr/share/shorewall/action.New line 46. > > --------------------------------- > > Rule: > > Untracked(ACCEPT) lan fw udp 123 > > produces the following error messages: > > ERROR: "process_rule1" is not exported by the Shorewall::Rules module > > Can''t continue after import errors at /usr/share/shorewall/action.Untracked > line 39 > > BEGIN failed--compilation aborted at /usr/share/shorewall/action.Untracked > line 39. > > --------------------------------- > > Rule: > > Related(ACCEPT) lan fw udp 123 > > produces the following error message: > > ERROR: Global symbol "$check" requires explicit package name at > /usr/share/shorewall/action.Related line 44. > > --------------------------------- > > Rule: > > Established(ACCEPT) lan fw udp 123 > > produces the following error message: > > ERROR: Undefined subroutine &Shorewall::User::check_state called at > /usr/share/shorewall/action.Established line 42.The attached patch corrects these issues. There will another patch forthcoming that corrects an issue that came up while I was testing this patch. Thanks Steven, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
Tom
The patch has corrected all the issues. However the following error message is
now produced:
ERROR: syntax error at /usr/share/shorewall/action.Untracked line 47, near
")
{"
I will install RC2, test it again and let you know the outcome.
Steven.
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
> The format of <variable> in a ?set directive is clarified.Where? ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
> 2) A ''New'' standard action has been added that matches packets in the > NEW connection tracking state.Since you don''t use an explicit chain for the NEW state, when I have: rules ~~~~~ SECTION NEW New(...) ... ... The above produces extra "--cstate NEW" match which isn''t necessary and should be removed as is the case with the rest of the statements in that section. The same is valid if I use something like "New(IELOG(...))" - all "--cstate NEW" matches, including to the ones in the inline action should be removed. Also, I can''t see using New(...) anywhere else making much sense with the exception of may be blrules and only in case where BLACKLIST=NEW,... Another 2 issues: 1. rules ~~~~~ SECTION NEW New(dropInvalid) $FW net produces: -A fw2net -m conntrack --ctstate NEW -m conntrack --ctstate INVALID -j DROP 2. shorewall.conf ~~~~~~~~~~~~~~ BLACKLIST="NEW,UNTRACKED" blrules ~~~~~~~ New(dropInvalid) $FW net dropInvalid $FW net produces: -A fw2net~ -m conntrack --ctstate NEW -m conntrack --ctstate INVALID -j DROP -A fw2net~ -m conntrack --ctstate INVALID -j DROP Obviously, the "INVALID" rules should have been dropped. Lastly, one general observation: currently rules where cstate matching doesn''t make sense are silently dropped by shorewall. I don''t think that is correct - there should be at least a warning that the rule in question has been dropped, otherwise I would think that it has been accepted, or, that there is nothing wrong with the said rule and there is a "bug" in shorewall. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
> rules > ~~~~~ > SECTION NEW > New(...) ... > ... > > The above produces extra "--cstate NEW" match which isn''t necessary and should be removed as is the case with the rest of the statements in that section. The same is valid if I use something like "New(IELOG(...))" - all "--cstate NEW" matches, including to the ones in the inline action should be removed. > > Also, I can''t see using New(...) anywhere else making much sense with the exception of may be blrules and only in case where BLACKLIST=NEW,...That is now fixed.> Another 2 issues: > > 1. > > rules > ~~~~~ > SECTION NEW > New(dropInvalid) $FW net > > produces: > > -A fw2net -m conntrack --ctstate NEW -m conntrack --ctstate INVALID -j DROPThis one is gone as well. It is interesting that when I use "New(ELOG(,fw2NeT,2)) $FW net" that works as expected (as oppose to "Related(ELOG(,fw2NeT,2)) $FW net" in "SECTION RELATED" - see my previous post).> 2. > > shorewall.conf > ~~~~~~~~~~~~~~ > BLACKLIST="NEW,UNTRACKED" > > blrules > ~~~~~~~ > New(dropInvalid) $FW net > dropInvalid $FW net > > produces: > > -A fw2net~ -m conntrack --ctstate NEW -m conntrack --ctstate INVALID -j DROP > -A fw2net~ -m conntrack --ctstate INVALID -j DROP > > > Obviously, the "INVALID" rules should have been dropped.This issue has also been fixed. However: shorewall.conf ~~~~~~~~~~~~~~ BLACKLIST="NEW,UNTRACKED" blrules ~~~~~~~ New(dropInvalid) $FW net dropInvalid $FW net WHITELIST $FW:+whitelist net <EOF> produces: -A fw2net -m conntrack --ctstate NEW,UNTRACKED -j fw2net~ [...] -A fw2net~ -m set --match-set whitelist dst -j RETURN In other words the single RETURN isn''t optimised away. When I have: blrules ~~~~~~~ WHITELIST $FW:+whitelist net <EOF> that blacklist chain *is* optimised properly and the single RETURN is gone. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
>However: > >shorewall.conf >~~~~~~~~~~~~~~ >BLACKLIST="NEW,UNTRACKED" > >blrules >~~~~~~~ >New(dropInvalid) $FW net >dropInvalid $FW net >WHITELIST $FW:+whitelist net ><EOF> > >produces: > >-A fw2net -m conntrack --ctstate NEW,UNTRACKED -j fw2net~ >[...] >-A fw2net~ -m set --match-set whitelist dst -j RETURN > >In other words the single RETURN isn''t optimised away. When I have:Patch attached. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb