Shorewall users - Feb 2013 - Shorewall 4.5.14 Beta 3

Beta 3 is now available for testing.

There were two uploads of Beta 3 -- the first did not contain all of the
Beta 3 content. Please verify your downloads against the attached digests:

New features since 4.5.14 Beta 2:

1)  When the effective VERBOSITY is 2, the compiler now produces a
    report as follows:

    Configuration uses these capabilities (''*'' denotes
required):
       ADDRTYPE
       ARPTABLESJF
       AUDIT_TARGET*
       COMMENTS
       CONNTRACK_MATCH
       CT_TARGET
       ENHANCED_REJECT
       EXMARK
       FTP_HELPER*
       FWMARK_RT_MASK
       GOTO_TARGET
       IPSET_MATCH*
       IRC_HELPER*
       LOG_TARGET*
       MANGLE_ENABLED
       MANGLE_FORWARD
       MARK*
       MULTIPORT
       NETBIOS_NS_HELPER
       NEW_CONNTRACK_MATCH
       NFACCT_MATCH*
       NFLOG_TARGET*
       RAW_TABLE*
       RPFILTER_MATCH*
       XMULTIPORT*
    Shorewall configuration verified

2)  While we understand the evils of NAT, it is required for proper
    failover handling in IPv6 multi-ISP configurations. To accommodate
    that limited use case, Shorewall6 now supports basic SNAT and DNAT.
    This feature requires a 3.7.4 kernel and iptables 1.4.17.

    Note: Netfilter does not support IPv6 MASQUERADE, so you must
    specify one or more addresses in the ADDRESSES column. In view of
    this restriction, IPv6 SNAT is defined in a file named
    /etc/shorewall6/snat rather than /etc/shorewall6/masq.

    To approximate masquerade, use an address variable in the ADDRESS
    column.

    Example:

	INTERFACE	SOURCE			ADDRESS
	p3p1		2001:470:b:227::0/24	&p3p1

    DNAT rules that specify a port number in the DEST column, must
    enclose the server address (if any) in square brackets.

    Example:

	ACTION	SOURCE	DEST				PROTO	PORTS
	DNAT	net	fw:[2001:470:b:227::2]:22       tcp	1022

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Tom

Shorewall6 snat entry:

eth0  2001:1:1:1::1  &eth0

works if a capabilities file exists.

If the capabilities file does not exist then the following error message is 
produced:

ERROR: a non-empty $name file requires NAT in your kernel and iptables 
/etc/shorewall66/snat (line 10)

Note, the above message contains ''$name''. Should it not be
''snat''?

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 2/23/13 11:27 AM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>Shorewall6 snat entry:
>
>eth0  2001:1:1:1::1  &eth0
>
>works if a capabilities file exists.
>
>If the capabilities file does not exist then the following error message
>is 
>produced:
>
>ERROR: a non-empty $name file requires NAT in your kernel and iptables
>/etc/shorewall66/snat (line 10)
>
>Note, the above message contains ''$name''. Should it not be
''snat''?
The attached patch should correct both issues.

Thanks Steven,
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Saturday 23 Feb 2013 19:34:46 Tom Eastep wrote:
> On 2/23/13 11:27 AM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
> >Shorewall6 snat entry:
> >
> >eth0  2001:1:1:1::1  &eth0
> >
> >works if a capabilities file exists.
> >
> >If the capabilities file does not exist then the following error
message
> >is
> >produced:
> >
> >ERROR: a non-empty $name file requires NAT in your kernel and iptables
> >/etc/shorewall66/snat (line 10)
> >
> >Note, the above message contains ''$name''. Should it
not be ''snat''?
> 
> The attached patch should correct both issues.
> 
> Thanks Steven,
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
Tom

Confirmed, the patch fixes both issues.

Thanks.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Tom

Shorewall6 snat entry:

eth0  2001:1:1:1::1  &eth0:persistent

Produces the following message:

ERROR: :persistent requires Persistent SNAT in your kernel and iptables 
/etc/shorewall66/snat (line 10)

If I manually set PERSISTENT_SNAT=Yes in the capabilities file, then shorewall6 
starts up.

Steven. 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 2/23/13 12:16 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>Shorewall6 snat entry:
>
>eth0  2001:1:1:1::1  &eth0:persistent
>
>Produces the following message:
>
>ERROR: :persistent requires Persistent SNAT in your kernel and iptables
>/etc/shorewall66/snat (line 10)
>
>If I manually set PERSISTENT_SNAT=Yes in the capabilities file, then
>shorewall6 
>starts up.
I''ve tested the attached patch when generating a capabilities file (I
only
have shorewall6-lite on my test system). Please try it without a
capabilities file.

Thanks Steven,

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Saturday 23 Feb 2013 20:55:37 Tom Eastep wrote:
> On 2/23/13 12:16 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
> >Shorewall6 snat entry:
> >
> >eth0  2001:1:1:1::1  &eth0:persistent
> >
> >Produces the following message:
> >
> >ERROR: :persistent requires Persistent SNAT in your kernel and iptables
> >/etc/shorewall66/snat (line 10)
> >
> >If I manually set PERSISTENT_SNAT=Yes in the capabilities file, then
> >shorewall6
> >starts up.
> 
> I''ve tested the attached patch when generating a capabilities file
(I only
> have shorewall6-lite on my test system). Please try it without a
> capabilities file.
> 
> Thanks Steven,
> 
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
Tom

Confirmed, shorewall6 starts without a capabilities file and creates a 
capabilities file with PERSISTENT_SNAT=Yes

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 2/23/13 1:23 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>Confirmed, shorewall6 starts without a capabilities file and creates a
>capabilities file with PERSISTENT_SNAT=Yes
Thanks Steven,

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Tom

Shorewall6 snat entry:

eth0()  2001:1:1:1::1  &eth0

produces the following message:

Use of uninitialized value $provider_number in numeric eq (==) at 
/usr/share/shorewall/Shorewall/Providers.pm line 1706, <$currentfile> line
10.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/24/2013 06:53 AM, Steven Jan Springl wrote:
> Shorewall6 snat entry:
> 
> eth0()  2001:1:1:1::1  &eth0
> 
> produces the following message:
> 
> Use of uninitialized value $provider_number in numeric eq (==) at 
> /usr/share/shorewall/Shorewall/Providers.pm line 1706, <$currentfile>
line 10.
This issue is not unique to Shorewall6 -- would also occur using
Shorewall. Patch attached.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Sunday 24 Feb 2013 16:11:18 Tom Eastep wrote:
> On 02/24/2013 06:53 AM, Steven Jan Springl wrote:
> > Shorewall6 snat entry:
> > 
> > eth0()  2001:1:1:1::1  &eth0
> > 
> > produces the following message:
> > 
> > Use of uninitialized value $provider_number in numeric eq (==) at
> > /usr/share/shorewall/Shorewall/Providers.pm line 1706,
<$currentfile>
> > line 10.
> 
> This issue is not unique to Shorewall6 -- would also occur using
> Shorewall. Patch attached.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch fixes the issue in both Shorewall and Shorewall6.

Thanks.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/24/2013 08:30 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue in both Shorewall and Shorewall6.
> 
Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Tom

Shorewall6 snat entry:

eth0  2001:1::/56  2001:2::1

genrates ip6tables rule:

-A eth0_masq -s 2001:1::/56 -m policy --pol none --dir out -j SNAT

which produces error message:

ip6tables-restore v1.4.17: SNAT: option "--to-source" must be
specified

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 2/24/13 10:54 AM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>Shorewall6 snat entry:
>
>eth0  2001:1::/56  2001:2::1
>
>genrates ip6tables rule:
>
>-A eth0_masq -s 2001:1::/56 -m policy --pol none --dir out -j SNAT
>
>which produces error message:
>
>ip6tables-restore v1.4.17: SNAT: option "--to-source" must be
specified
I managed to break the simple case while adding the code to handle a port
number. Patch attached.

Thanks Steven,

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Sunday 24 Feb 2013 19:30:02 Tom Eastep wrote:
> On 2/24/13 10:54 AM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
> >Shorewall6 snat entry:
> >
> >eth0  2001:1::/56  2001:2::1
> >
> >genrates ip6tables rule:
> >
> >-A eth0_masq -s 2001:1::/56 -m policy --pol none --dir out -j SNAT
> >
> >which produces error message:
> >
> >ip6tables-restore v1.4.17: SNAT: option "--to-source" must be
specified
> 
> I managed to break the simple case while adding the code to handle a port
> number. Patch attached.
> 
> Thanks Steven,
> 
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 2/24/13 12:25 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>
>Confirmed, the patch fixes the issue.
Thanks Steven,

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Tom

Shorewall6 snat entry:

eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]::1000-1010

Produces error message:

ERROR: Invalid IPv6 Address (2001:470:a:227::2]) /etc/shorewall6A1/snat (line 
10)

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/25/2013 01:17 PM, Steven Jan Springl wrote:
> Tom
> 
> Shorewall6 snat entry:
> 
> eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]::1000-1010
> 
> Produces error message:
> 
> ERROR: Invalid IPv6 Address (2001:470:a:227::2]) /etc/shorewall6A1/snat
(line
> 10)
> 
The attached patch should correct this; although, the correct entry
would be:

eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/25/2013 01:32 PM, Tom Eastep wrote:
> On 02/25/2013 01:17 PM, Steven Jan Springl wrote:
>> Shorewall6 snat entry:
>>
>> eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]::1000-1010
>>
>> Produces error message:
>>
>> ERROR: Invalid IPv6 Address (2001:470:a:227::2]) /etc/shorewall6A1/snat
(line
>> 10)
>>
> 
> The attached patch should correct this; although, the correct entry
> would be:
> 
> eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010
And the attached patch will catch the :: in your entry.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Monday 25 Feb 2013 21:54:56 Tom Eastep wrote:
> On 02/25/2013 01:32 PM, Tom Eastep wrote:
> > On 02/25/2013 01:17 PM, Steven Jan Springl wrote:
> >> Shorewall6 snat entry:
> >> 
> >> eth0  2001:1::/56 
[2001:470:a:227::2]-[2001:470:a:227::10]::1000-1010
> >> 
> >> Produces error message:
> >> 
> >> ERROR: Invalid IPv6 Address (2001:470:a:227::2])
/etc/shorewall6A1/snat
> >> (line 10)
> > 
> > The attached patch should correct this; although, the correct entry
> > would be:
> > 
> > eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010
> 
> And the attached patch will catch the :: in your entry.
> 
> Thanks Steven,
> -Tom
Tom

I have applied both patches.

When I use the corrected snat entry with ''tcp'' appended:

eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010  tcp

I get the following error message:

ERROR: The separator for a port range is '':'', not
''-'' (1000-1010)
/etc/shorewall6A1/snat (line 10)

When I change the snat entry as indicated in the above message to:

eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000:1010  tcp

I get the following error message:

ERROR: Invalid IPv6 Address ([2001:470:a:227::2]-[2001:470:a:227::10]:1000) 
/etc/shorewall6A1/snat (line 10)

If I specify just one port:

eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000  tcp

The following ip6tables rule is generated:

-A eth0_masq -p 6 -s 2001:1::/56 -j SNAT --to-source 
2001:470:a:227::2]-[2001:470:a:227::10 --toports 1000

Which produces the following error message:

ip6tables-restore v1.4.17: Invalid address format

Note, the example for the ADDRESS column in the snat man page contains a
''::''
separator between the address and the port range.

Steven. 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/25/2013 02:40 PM, Steven Jan Springl wrote:
> I have applied both patches.
> 
> When I use the corrected snat entry with ''tcp'' appended:
> 
> eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010  tcp
> 
> I get the following error message:
> 
> ERROR: The separator for a port range is '':'', not
''-'' (1000-1010)
> /etc/shorewall6A1/snat (line 10)
> 
> When I change the snat entry as indicated in the above message to:
> 
> eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000:1010  tcp
> 
> I get the following error message:
> 
> ERROR: Invalid IPv6 Address ([2001:470:a:227::2]-[2001:470:a:227::10]:1000)
> /etc/shorewall6A1/snat (line 10)
> 
> If I specify just one port:
> 
> eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000  tcp
> 
> The following ip6tables rule is generated:
> 
> -A eth0_masq -p 6 -s 2001:1::/56 -j SNAT --to-source 
> 2001:470:a:227::2]-[2001:470:a:227::10 --toports 1000
> 
> Which produces the following error message:
> 
> ip6tables-restore v1.4.17: Invalid address format
The attached patch eliminates this problem.
> 
> Note, the example for the ADDRESS column in the snat man page contains a
''::''
> separator between the address and the port range.
I''ve corrected the man page.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Monday 25 Feb 2013 23:30:00 Tom Eastep wrote:
> On 02/25/2013 02:40 PM, Steven Jan Springl wrote:
> > I have applied both patches.
> > 
> > When I use the corrected snat entry with ''tcp''
appended:
> > 
> > eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000-1010 
> > tcp
> > 
> > I get the following error message:
> > 
> > ERROR: The separator for a port range is '':'', not
''-'' (1000-1010)
> > /etc/shorewall6A1/snat (line 10)
> > 
> > When I change the snat entry as indicated in the above message to:
> > 
> > eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000:1010 
> > tcp
> > 
> > I get the following error message:
> > 
> > ERROR: Invalid IPv6 Address
> > ([2001:470:a:227::2]-[2001:470:a:227::10]:1000) /etc/shorewall6A1/snat
> > (line 10)
> > 
> > If I specify just one port:
> > 
> > eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000  tcp
> > 
> > The following ip6tables rule is generated:
> > 
> > -A eth0_masq -p 6 -s 2001:1::/56 -j SNAT --to-source
> > 2001:470:a:227::2]-[2001:470:a:227::10 --toports 1000
> > 
> > Which produces the following error message:
> > 
> > ip6tables-restore v1.4.17: Invalid address format
> 
> The attached patch eliminates this problem.
> 
> > Note, the example for the ADDRESS column in the snat man page contains
a
> > ''::'' separator between the address and the port
range.
> 
> I''ve corrected the man page.
> 
> Thanks Steven,
> -Tom
Tom

After the application of the patch snat entry:

eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000  tcp

Generates ip6tables rule: 

-A eth0_masq -p 6 -s 2001:1::/56 -j SNAT --to-source 
[2001:470:a:227::2]-[2001:470:a:227::10]:1000

Which produces error message:

ip6tables-restore v1.4.17: Invalid port:port syntax - use dash

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 2/25/13 4:53 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>After the application of the patch snat entry:
>
>eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000  tcp
>
>Generates ip6tables rule:
>
>-A eth0_masq -p 6 -s 2001:1::/56 -j SNAT --to-source
>[2001:470:a:227::2]-[2001:470:a:227::10]:1000
>
>Which produces error message:
>
>ip6tables-restore v1.4.17: Invalid port:port syntax - use dash
Hmmm -- ip6tables likes [<addr1>-<addr2>]:[port1[:port2]]. The
attached
patch enforces this restriction in Shorewall6 as well.

Thanks Steven,

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Tuesday 26 Feb 2013 01:15:38 Tom Eastep wrote:
> On 2/25/13 4:53 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
> >After the application of the patch snat entry:
> >
> >eth0  2001:1::/56  [2001:470:a:227::2]-[2001:470:a:227::10]:1000  tcp
> >
> >Generates ip6tables rule:
> >
> >-A eth0_masq -p 6 -s 2001:1::/56 -j SNAT --to-source
> >[2001:470:a:227::2]-[2001:470:a:227::10]:1000
> >
> >Which produces error message:
> >
> >ip6tables-restore v1.4.17: Invalid port:port syntax - use dash
> 
> Hmmm -- ip6tables likes [<addr1>-<addr2>]:[port1[:port2]]. The
attached
> patch enforces this restriction in Shorewall6 as well.
> 
> Thanks Steven,
> 
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 2/25/13 5:30 PM, "Steven Jan Springl"
<steven@springl.ukfsn.org> wrote:
>
>Confirmed, the patch fixes the issue.
>
Thank you Steven,

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Tom

Shorewall6 snat entry:

eth0  2001:2::/56  NONAT:random

Generates the following ip6tables rule:

-A eth0_masq -s 2001:2::/56 -j RETURN --random

Which produces the following error message:

ip6tables-restore v1.4.17: unknown option "--random"

Note, a similar problem occurs if either of the following snat entries is 
specified:

eth0  2001:2::/56  NONAT:persistent

eth0  2001:2::/56  NONAT:random:persistent

Additionally Shorewall masq entry:

eth0  192.168.1.0/24  NONAT:random

Produces a similar error.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Saturday 23 Feb 2013 16:09:52 Tom Eastep wrote:
> 
>     Note: Netfilter does not support IPv6 MASQUERADE, so you must
>     specify one or more addresses in the ADDRESSES column. In view of
>     this restriction, IPv6 SNAT is defined in a file named
>     /etc/shorewall6/snat rather than /etc/shorewall6/masq.
Tom

Kernel 3.8 has config. option CONFIG_IP6_NF_TARGET_MASQUERADE

Shorewall6 snat entry:

eth0  2001:2::/56  :random

Produces ip6tables rule:

-A eth0_masq -s 2001:2::/56 -j MASQUERADE --random

Which ip6tables-restore accepts.

I am using ip6tables 1.4.17.

Note, kernel 3.7 also has the above config. option, but I haven''t tried
it.
 
Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/27/2013 04:43 AM, Steven Jan Springl wrote:
> Kernel 3.8 has config. option CONFIG_IP6_NF_TARGET_MASQUERADE
> 
> Shorewall6 snat entry:
> 
> eth0  2001:2::/56  :random
> 
> Produces ip6tables rule:
> 
> -A eth0_masq -s 2001:2::/56 -j MASQUERADE --random
> 
> Which ip6tables-restore accepts.
> 
> I am using ip6tables 1.4.17.
> 
> Note, kernel 3.7 also has the above config. option, but I haven''t
tried it.
This is a fine kettle of fish; my 3.7.4 Fedora 18 Kernel does not enable
that option.

Attached are three patches which:

- Correct the ''NONAT:random'' error you reported in an earlier
post.
- Rename /etc/shorewall6/snat to /etc/shorewall6/masq
- Add a MASQUERADE Target capability and bump the current CAPSVERSION
- Requires MASQUERADE Target support for MASQUERADE rules

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/27/2013 07:30 AM, Tom Eastep wrote:
> On 02/27/2013 04:43 AM, Steven Jan Springl wrote:
> 
>> Kernel 3.8 has config. option CONFIG_IP6_NF_TARGET_MASQUERADE
>>
>> Shorewall6 snat entry:
>>
>> eth0  2001:2::/56  :random
>>
>> Produces ip6tables rule:
>>
>> -A eth0_masq -s 2001:2::/56 -j MASQUERADE --random
>>
>> Which ip6tables-restore accepts.
>>
>> I am using ip6tables 1.4.17.
>>
>> Note, kernel 3.7 also has the above config. option, but I
haven''t tried it.
> 
> This is a fine kettle of fish; my 3.7.4 Fedora 18 Kernel does not enable
> that option.
> 
> Attached are three patches which:
> 
> - Correct the ''NONAT:random'' error you reported in an
earlier post.
> - Rename /etc/shorewall6/snat to /etc/shorewall6/masq
> - Add a MASQUERADE Target capability and bump the current CAPSVERSION
> - Requires MASQUERADE Target support for MASQUERADE rules
> 
Here''s another one that requires MASQUERADE target support when a rule
such as the following is present:

p3p1:[2001:470:b:227::0]/64	::/0		:random


-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Wednesday 27 Feb 2013 17:26:54 Tom Eastep wrote:
> On 02/27/2013 07:30 AM, Tom Eastep wrote:
> > On 02/27/2013 04:43 AM, Steven Jan Springl wrote:
> >> Kernel 3.8 has config. option CONFIG_IP6_NF_TARGET_MASQUERADE
> >> 
> >> Shorewall6 snat entry:
> >> 
> >> eth0  2001:2::/56  :random
> >> 
> >> Produces ip6tables rule:
> >> 
> >> -A eth0_masq -s 2001:2::/56 -j MASQUERADE --random
> >> 
> >> Which ip6tables-restore accepts.
> >> 
> >> I am using ip6tables 1.4.17.
> >> 
> >> Note, kernel 3.7 also has the above config. option, but I
haven''t tried
> >> it.
> > 
> > This is a fine kettle of fish; my 3.7.4 Fedora 18 Kernel does not
enable
> > that option.
> > 
> > Attached are three patches which:
> > 
> > - Correct the ''NONAT:random'' error you reported in
an earlier post.
> > - Rename /etc/shorewall6/snat to /etc/shorewall6/masq
> > - Add a MASQUERADE Target capability and bump the current CAPSVERSION
> > - Requires MASQUERADE Target support for MASQUERADE rules
> 
> Here''s another one that requires MASQUERADE target support when a
rule
> such as the following is present:
> 
> p3p1:[2001:470:b:227::0]/64	::/0		:random
> 
> 
> -Tom
Tom

All patches applied. 
MASQUERADE3.patch hunk 2 refers to VERSION 4.5.13-Beta3 instead of 
4.5.14-Beta3. I made the change manually.

I can confirm the patch fixes the original problem for both shorewall and 
shorewall6.

---------------------------------------------------------------------------------------------

Shorewall6 masq entry:

eth0  2001:2::/56  :random:persistent

Generates the following ip6tables entry:

-A eth0_masq -s 2001:2::/56 -j MASQUERADE --random --persistent

Which produces the following error message:

ip6tables-restore v1.4.17: unknown option "--persistent"

The error also occurs in shorewall.

Steven.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/27/2013 12:38 PM, Steven Jan Springl wrote:
> All patches applied. 
> MASQUERADE3.patch hunk 2 refers to VERSION 4.5.13-Beta3 instead of 
> 4.5.14-Beta3. I made the change manually.
> 
> I can confirm the patch fixes the original problem for both shorewall and 
> shorewall6.
Thanks Steven.
> 
>
---------------------------------------------------------------------------------------------
> 
> Shorewall6 masq entry:
> 
> eth0  2001:2::/56  :random:persistent
> 
> Generates the following ip6tables entry:
> 
> -A eth0_masq -s 2001:2::/56 -j MASQUERADE --random --persistent
> 
> Which produces the following error message:
> 
> ip6tables-restore v1.4.17: unknown option "--persistent"
> 
> The error also occurs in shorewall.
> 
A patch is attached.

Thank you Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Wednesday 27 Feb 2013 20:46:25 Tom Eastep wrote:
> On 02/27/2013 12:38 PM, Steven Jan Springl wrote:
> > All patches applied.
> > MASQUERADE3.patch hunk 2 refers to VERSION 4.5.13-Beta3 instead of
> > 4.5.14-Beta3. I made the change manually.
> > 
> > I can confirm the patch fixes the original problem for both shorewall
and
> > shorewall6.
> 
> Thanks Steven.
> 
> >
-------------------------------------------------------------------------
> > --------------------
> > 
> > Shorewall6 masq entry:
> > 
> > eth0  2001:2::/56  :random:persistent
> > 
> > Generates the following ip6tables entry:
> > 
> > -A eth0_masq -s 2001:2::/56 -j MASQUERADE --random --persistent
> > 
> > Which produces the following error message:
> > 
> > ip6tables-restore v1.4.17: unknown option "--persistent"
> > 
> > The error also occurs in shorewall.
> 
> A patch is attached.
> 
> Thank you Steven,
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/27/2013 12:59 PM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue.
> 
Thanks Steven,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Tom

Shorewall6 masq entry:

eth0  2001:33:33::/56  -  udplite  99

Produces the following error message:

ERROR: Using a port ( 99 ) requires PROTO TCP, UDP, SCTP or DCCP 
/etc/shorewall6A1/masq (line 16)

The man page states that ports can be specified with protocol udplite.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 02/28/2013 04:21 AM, Steven Jan Springl wrote:
> Shorewall6 masq entry:
> 
> eth0  2001:33:33::/56  -  udplite  99
> 
> Produces the following error message:
> 
> ERROR: Using a port ( 99 ) requires PROTO TCP, UDP, SCTP or DCCP 
> /etc/shorewall6A1/masq (line 16)
> 
> The man page states that ports can be specified with protocol udplite.
> 
That is a Shorewall-wide defect. Patch attached.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Tom

Shorewall6 rule:

DNAT  wan  lan:[2001:77:77::77]:85  tcp  90

generates the following ip6tables rule:

-A PREROUTING -p 6 --dport 90 -i eth1 -j DNAT --to-destination 
[2001:77:77::77]:85

Which produces error message:

ip6tables-restore v1.4.17: unknown option "--to-destination"

-------------------------------------------------------------------------------

Shorewall6 rule:

DNAT  wan  lan:[2001:77:77::77]  tcp  90

Produces the following error message:

ERROR: Invalid/Unknown tcp port/service (77]) /etc/shorewall6A1/rules (line 
19)

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Thursday 28 Feb 2013 14:26:04 Tom Eastep wrote:
> On 02/28/2013 04:21 AM, Steven Jan Springl wrote:
> > Shorewall6 masq entry:
> > 
> > eth0  2001:33:33::/56  -  udplite  99
> > 
> > Produces the following error message:
> > 
> > ERROR: Using a port ( 99 ) requires PROTO TCP, UDP, SCTP or DCCP
> > /etc/shorewall6A1/masq (line 16)
> > 
> > The man page states that ports can be specified with protocol udplite.
> 
> That is a Shorewall-wide defect. Patch attached.
> 
> Thanks Steven,
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 03/01/2013 05:23 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue.
> 
> Thanks.
> 
Thanks.
> 
> Shorewall6 rule:
> 
> DNAT  wan  lan:[2001:77:77::77]:85  tcp  90
> 
> generates the following ip6tables rule:
> 
> -A PREROUTING -p 6 --dport 90 -i eth1 -j DNAT --to-destination 
> [2001:77:77::77]:85
> 
> Which produces error message:
> 
> ip6tables-restore v1.4.17: unknown option "--to-destination"
That''s very odd. I have this rule:

DNAT	net	$FW:[2001:470:b:787:222:3fff:fef6:7c0e]:22 tcp	1022	

which generates this ip6tables rule:

-A net_dnat -p 6 --dport 1022 -j DNAT --to-destination \
       [2001:470:b:787:222:3fff:fef6:7c0e]:22

which works correctly

Furthermore:

[root@sami ~]# ip6tables -t nat -N foo
[root@sami ~]# ip6tables -t nat -A foo -p 6 --dport 90 -i eth1 -j DNAT \
                       --to-destination [2001:77:77::77]:85
[root@sami ~]#

Am I missing something?
> 
>
-------------------------------------------------------------------------------
> 
> Shorewall6 rule:
> 
> DNAT  wan  lan:[2001:77:77::77]  tcp  90
> 
> Produces the following error message:
> 
> ERROR: Invalid/Unknown tcp port/service (77]) /etc/shorewall6A1/rules (line
> 19)
> 
The attached patch corrects this problem.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 03/01/2013 07:37 AM, Tom Eastep wrote:
>> Shorewall6 rule:
>>
>> DNAT  wan  lan:[2001:77:77::77]:85  tcp  90
>>
>> generates the following ip6tables rule:
>>
>> -A PREROUTING -p 6 --dport 90 -i eth1 -j DNAT --to-destination 
>> [2001:77:77::77]:85
>>
>> Which produces error message:
>>
>> ip6tables-restore v1.4.17: unknown option "--to-destination"
> 
> That''s very odd. I have this rule:
> 
> DNAT	net	$FW:[2001:470:b:787:222:3fff:fef6:7c0e]:22 tcp	1022	
> 
> which generates this ip6tables rule:
> 
> -A net_dnat -p 6 --dport 1022 -j DNAT --to-destination \
>        [2001:470:b:787:222:3fff:fef6:7c0e]:22
> 
> which works correctly
> 
> Furthermore:
> 
> [root@sami ~]# ip6tables -t nat -N foo
> [root@sami ~]# ip6tables -t nat -A foo -p 6 --dport 90 -i eth1 -j DNAT \
>                        --to-destination [2001:77:77::77]:85
> [root@sami ~]#
> 
> Am I missing something?
We have resolved this issue; I had applied this iptables patch and
Steven had not.

http://patchwork.ozlabs.org/patch/209207/

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Friday 01 Mar 2013 15:37:02 Tom Eastep wrote:
> > ------
> > 
> > Shorewall6 rule:
> > 
> > DNAT  wan  lan:[2001:77:77::77]  tcp  90
> > 
> > Produces the following error message:
> > 
> > ERROR: Invalid/Unknown tcp port/service (77]) /etc/shorewall6A1/rules
> > (line 19)
> 
> The attached patch corrects this problem.
> 
> Thanks Steven,
> -Tom
Tom

After the application of this patch both of the following rules:

REDIRECT  wan  3128  tcp  80
REDIRECT  wan  fw::8080  tcp  800

Produce the following error message:

ERROR: A server IP address (:3128) may not be specified in a REDIRECT rule 
/etc/shorewall6A1/rules (line 22)

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

>
>
>
>After the application of this patch both of the following rules:
>
>REDIRECT  wan  3128  tcp  80
>REDIRECT  wan  fw::8080  tcp  800
>
>Produce the following error message:
>
>ERROR: A server IP address (:3128) may not be specified in a REDIRECT
>rule 
>/etc/shorewall6A1/rules (line 22)
The attached patch corrects the first one. The correct form of the second
rule is:

	REDIRECT  wan  fw:[]:8080  tcp  800


-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Saturday 02 Mar 2013 00:44:06 Tom Eastep wrote:
> >After the application of this patch both of the following rules:
> >
> >REDIRECT  wan  3128  tcp  80
> >REDIRECT  wan  fw::8080  tcp  800
> >
> >Produce the following error message:
> >
> >ERROR: A server IP address (:3128) may not be specified in a REDIRECT
> >rule
> >/etc/shorewall6A1/rules (line 22)
> 
> The attached patch corrects the first one. The correct form of the second
> rule is:
> 
> 	REDIRECT  wan  fw:[]:8080  tcp  800
> 
> 
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 03/02/2013 04:43 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue.
> 
Thanks Steven,

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

Tom

Shorewall rules:

DNAT  wan  lan  tcp  80

DNAT  wan  lan:0.0.0.0/0  tcp  80

Both generate the following iptables rule:

-A wan_dnat -p 136 -m multiport --dports 80 -j DNAT --to-destination 0.0.0.0/0

Which produce the following error message:

iptables-restore v1.4.17: Bad IP address "0.0.0.0/0"

Similarly with Shorewall6 rule:

DNAT  wan  lan  tcp  80

Generates ip6tables rule:

-A PREROUTING -p 6 --dport 80 -i eth1 -j DNAT --to-destination [::/0]

Which produces error message:

ip6tables-restore v1.4.17: Bad IP address "::/0"

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 03/02/2013 08:15 AM, Steven Jan Springl wrote:
> Shorewall rules:
> 
> DNAT  wan  lan  tcp  80
> 
> DNAT  wan  lan:0.0.0.0/0  tcp  80
> 
> Both generate the following iptables rule:
> 
> -A wan_dnat -p 136 -m multiport --dports 80 -j DNAT --to-destination
0.0.0.0/0
> 
> Which produce the following error message:
> 
> iptables-restore v1.4.17: Bad IP address "0.0.0.0/0"
> 
> Similarly with Shorewall6 rule:
> 
> DNAT  wan  lan  tcp  80
> 
> Generates ip6tables rule:
> 
> -A PREROUTING -p 6 --dport 80 -i eth1 -j DNAT --to-destination [::/0]
> 
> Which produces error message:
> 
> ip6tables-restore v1.4.17: Bad IP address "::/0"
> 
The attached patch corrects this problem.

Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 03/02/2013 08:58 AM, Tom Eastep wrote:
> On 03/02/2013 08:15 AM, Steven Jan Springl wrote:
> 
>> Shorewall rules:
>>
>> DNAT  wan  lan  tcp  80
>>
>> DNAT  wan  lan:0.0.0.0/0  tcp  80
>>
>> Both generate the following iptables rule:
>>
>> -A wan_dnat -p 136 -m multiport --dports 80 -j DNAT --to-destination
0.0.0.0/0
>>
>> Which produce the following error message:
>>
>> iptables-restore v1.4.17: Bad IP address "0.0.0.0/0"
>>
>> Similarly with Shorewall6 rule:
>>
>> DNAT  wan  lan  tcp  80
>>
>> Generates ip6tables rule:
>>
>> -A PREROUTING -p 6 --dport 80 -i eth1 -j DNAT --to-destination [::/0]
>>
>> Which produces error message:
>>
>> ip6tables-restore v1.4.17: Bad IP address "::/0"
>>
> 
> The attached patch corrects this problem.

The last patch missed one case. Second patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On Saturday 02 Mar 2013 17:07:33 Tom Eastep wrote:
> On 03/02/2013 08:58 AM, Tom Eastep wrote:
> > On 03/02/2013 08:15 AM, Steven Jan Springl wrote:
> >> Shorewall rules:
> >> 
> >> DNAT  wan  lan  tcp  80
> >> 
> >> DNAT  wan  lan:0.0.0.0/0  tcp  80
> >> 
> >> Both generate the following iptables rule:
> >> 
> >> -A wan_dnat -p 136 -m multiport --dports 80 -j DNAT
--to-destination
> >> 0.0.0.0/0
> >> 
> >> Which produce the following error message:
> >> 
> >> iptables-restore v1.4.17: Bad IP address "0.0.0.0/0"
> >> 
> >> Similarly with Shorewall6 rule:
> >> 
> >> DNAT  wan  lan  tcp  80
> >> 
> >> Generates ip6tables rule:
> >> 
> >> -A PREROUTING -p 6 --dport 80 -i eth1 -j DNAT --to-destination
[::/0]
> >> 
> >> Which produces error message:
> >> 
> >> ip6tables-restore v1.4.17: Bad IP address "::/0"
> > 
> > The attached patch corrects this problem.
> 
> The last patch missed one case. Second patch attached.
> 
> -Tom
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb

On 03/02/2013 09:16 AM, Steven Jan Springl wrote:
> 
> Confirmed, the patch fixes the issue.
> 
Thanks Steven,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb