Shorewall users - Apr 2013 - Shorewall 4.5.16 Beta 6

I''ve uploaded Beta 6 for testing.

Problem Corrected update:

1)  Previously, NFACCT accounting rules generated iptables rules with
    the matches in the incorrect order. That caused the counters to be
    incremented before all of the matches had been checked. Now, the
    counter in an NFACCT rule is incremented only if all of the other
    matches have been successful.

    To allow a nfobject to be incremented unconditionally, you may
    follow the closing parenthesis with ''!'' (e.g.,
NFACCT(all)!). When
    ''!'' is omitted, the object is incremented only if all of
the rule''s
    matches succeed.

    "!" is useful in the following rule:

	NFACCT(all)	-	+fooset[src]	+barset[dst](foobar)

    In this rule, the ''all'' nfacc counter is incremented
    unconditionally while the foobar counter is only incremented if
    the packet SOURCE address is in fooset and the DEST address is in
    barset.

New Features:

1)  The INLINE action is also supported in the accounting file. INLINE
    is treated the same as COUNT with the exception that the freeform
    iptables input following the '';'' is appended to any
matches
    generated by the column contents. In the accounting file, INLINE
    does not accept a parameter.

    This change will cause the order of matches in iptables rules to be
    different from in previously releases. Please report any
    differences that you find that are not simple match reorderings.

Thank you for testing,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom Eastep wrote:
> I''ve uploaded Beta 6 for testing.
>
> Problem Corrected update:
>
> 1)  Previously, NFACCT accounting rules generated iptables rules with
>     the matches in the incorrect order. That caused the counters to be
>     incremented before all of the matches had been checked. Now, the
>     counter in an NFACCT rule is incremented only if all of the other
>     matches have been successful.
>
>     To allow a nfobject to be incremented unconditionally, you may
>     follow the closing parenthesis with ''!'' (e.g.,
NFACCT(all)!). When
>     ''!'' is omitted, the object is incremented only if all
of the rule''s
>     matches succeed.
>
>     "!" is useful in the following rule:
>
> 	NFACCT(all)	-	+fooset[src]	+barset[dst](foobar)
>
>     In this rule, the ''all'' nfacc counter is incremented
>     unconditionally while the foobar counter is only incremented if
>     the packet SOURCE address is in fooset and the DEST address is in
>     barset.
>   
There is no "!" after NFACCT(all).
> New Features:
>
> 1)  The INLINE action is also supported in the accounting file. INLINE
>     is treated the same as COUNT with the exception that the freeform
>     iptables input following the '';'' is appended to any
matches
>     generated by the column contents. In the accounting file, INLINE
>     does not accept a parameter.
>   
Is there an "automatic" addition of nfacct objects implemented in
INLINE
("nfacct add <obj>")? For example:

INLINE ; -m nfacct --nfacct-name test

With the above, do I have to manually add "test" or is there some
magic
shorewall could do to automate that?
>     This change will cause the order of matches in iptables rules to be
>     different from in previously releases. Please report any
>     differences that you find that are not simple match reorderings.
>   
I''ll have more time to test this if not later on, then tomorrow.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/20/2013 02:25 PM, Dash Four wrote:
> 
> Tom Eastep wrote:
>>
>>     "!" is useful in the following rule:
>>
>> 	NFACCT(all)	-	+fooset[src]	+barset[dst](foobar)
>>
>>     In this rule, the ''all'' nfacc counter is
incremented
>>     unconditionally while the foobar counter is only incremented if
>>     the packet SOURCE address is in fooset and the DEST address is in
>>     barset.
>>   
> There is no "!" after NFACCT(all).
Oops -- thanks.
> 
>> New Features:
>>
>> 1)  The INLINE action is also supported in the accounting file. INLINE
>>     is treated the same as COUNT with the exception that the freeform
>>     iptables input following the '';'' is appended to
any matches
>>     generated by the column contents. In the accounting file, INLINE
>>     does not accept a parameter.
>>   
> Is there an "automatic" addition of nfacct objects implemented in
INLINE
> ("nfacct add <obj>")? For example:
> 
> INLINE ; -m nfacct --nfacct-name test
> 
> With the above, do I have to manually add "test" or is there some
magic
> shorewall could do to automate that?
It happens automatically.
> 
>>     This change will cause the order of matches in iptables rules to be
>>     different from in previously releases. Please report any
>>     differences that you find that are not simple match reorderings.
>>   
> I''ll have more time to test this if not later on, then tomorrow.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom Eastep wrote:
> I''ve uploaded Beta 6 for testing.
>
> Problem Corrected update:
>
> 1)  Previously, NFACCT accounting rules generated iptables rules with
>     the matches in the incorrect order. That caused the counters to be
>     incremented before all of the matches had been checked. Now, the
>     counter in an NFACCT rule is incremented only if all of the other
>     matches have been successful.
>
>     To allow a nfobject to be incremented unconditionally, you may
>     follow the closing parenthesis with ''!'' (e.g.,
NFACCT(all)!). When
>     ''!'' is omitted, the object is incremented only if all
of the rule''s
>     matches succeed.
>
>     "!" is useful in the following rule:
>
> 	NFACCT(all)	-	+fooset[src]	+barset[dst](foobar)
>
>     In this rule, the ''all'' nfacc counter is incremented
>     unconditionally while the foobar counter is only incremented if
>     the packet SOURCE address is in fooset and the DEST address is in
>     barset.
>   
This looks pretty good - with and without "!"...
> New Features:
>
> 1)  The INLINE action is also supported in the accounting file. INLINE
>     is treated the same as COUNT with the exception that the freeform
>     iptables input following the '';'' is appended to any
matches
>     generated by the column contents. In the accounting file, INLINE
>     does not accept a parameter.
>   
... and so does this, though I''ll give it a more thorough look tomorrow
night.
>     This change will cause the order of matches in iptables rules to be
>     different from in previously releases. Please report any
>     differences that you find that are not simple match reorderings.
>   
OK, the main thing I''ve found so far is that shorewall does not touch 
the order of statements after ";" this time (compared to
"rules"), so if
I specify "INLINE ; -m nfacct --nfacct-name test -p 6 -m set --match-set 
test src --dport 1234" that passes as-is (that, obviously, won''t
pass
iptables, but I am pleased that the order is preserved in whatever I 
throw after ";").

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom

The attached config. produces the following messages:

Optimizing Ruleset...

Use of uninitialized value $value in substitution (s///) at 
/usr/share/shorewall/Shorewall/Chains.pm line 973.

Use of uninitialized value $value in substitution (s///) at 
/usr/share/shorewall/Shorewall/Chains.pm line 973.

Creating iptables-restore input...

Use of uninitialized value $value in substitution (s///) at 
/usr/share/shorewall/Shorewall/Chains.pm line 973.

Use of uninitialized value $value in substitution (s///) at 
/usr/share/shorewall/Shorewall/Chains.pm line 973.

The following iptables rule is also generated:

-A OUTPUT -o eth0 -p 6 -s 88.88.88.88 -d 192.168.168.0/24 -m multiport  -j 
RAWDNAT --to-dest 10.199.0.0/16 -m comment --comment "netmap."

Which produces the following error message:

iptables-restore v1.4.18: multiport expection an option

Steven.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/21/13 9:36 AM, "Steven Jan Springl" <steven@springl.co.uk>
wrote:
>The attached config. produces the following messages:
>
>Optimizing Ruleset...
>
>Use of uninitialized value $value in substitution (s///) at
>/usr/share/shorewall/Shorewall/Chains.pm line 973.
>
>Use of uninitialized value $value in substitution (s///) at
>/usr/share/shorewall/Shorewall/Chains.pm line 973.
>
>Creating iptables-restore input...
>
>Use of uninitialized value $value in substitution (s///) at
>/usr/share/shorewall/Shorewall/Chains.pm line 973.
>
>Use of uninitialized value $value in substitution (s///) at
>/usr/share/shorewall/Shorewall/Chains.pm line 973.
>
>The following iptables rule is also generated:
>
>-A OUTPUT -o eth0 -p 6 -s 88.88.88.88 -d 192.168.168.0/24 -m multiport
>-j 
>RAWDNAT --to-dest 10.199.0.0/16 -m comment --comment "netmap."
>
>Which produces the following error message:
>
>iptables-restore v1.4.18: multiport expection an option
This one-liner seems to correct the problem.

Thanks Steven,

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/21/13 2:43 PM, "Tom Eastep" <teastep@shorewall.net> wrote:
>
>This one-liner seems to correct the problem.
>
>Thanks Steven,
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On Sunday 21 Apr 2013 22:45:12 Tom Eastep wrote:
> On 4/21/13 2:43 PM, "Tom Eastep" <teastep@shorewall.net>
wrote:
> >This one-liner seems to correct the problem.
> >
> >Thanks Steven,
> 
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
Tom

Confirmed, the patch fixes the issue.

Thanks.

Steven.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> OK, the main thing I''ve found so far is that shorewall does not
touch
> the order of statements after ";" this time (compared to
"rules"), so
> if I specify "INLINE ; -m nfacct --nfacct-name test -p 6 -m set 
> --match-set test src --dport 1234" that passes as-is (that, obviously,
> won''t pass iptables, but I am pleased that the order is preserved
in
> whatever I throw after ";").
No issues to report, except one or two suggestions:

1. It would be nice if you could extend the nfacct syntax for ipsets to 
specify more than one nfacct object, separated by commas - in the way 
NFACCT(...) syntax currently is. For example: "+dmz-net(dmz,dmz_in)".
2. It would also be nice to extend the syntax for the exclamation mark 
in NFACCT(...) so that it may apply to individual nfacct objects. For 
example: "NFACCT(!dmz,dmz_in) - eth0:+dmz-net" - in this example
"dmz"
nfacct object comes first, "dmz_in" comes last after the two
conditions
- "-o eth0" and "m set --match-set dmz-net src" have been
met. Of
course, if "NFACCT(dmz,dmz_in)!" is specified, then the exclamation
mark
should apply (and it does) to both objects, while
"NFACCT(!dmz,dmz_in)!"
should not be allowed.

On a side note, I like the ability to select multiple nfacct objects in 
a single statement - very good idea this.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/21/13 7:14 PM, "Dash Four" <mr.dash.four@googlemail.com>
wrote:
> 
>> OK, the main thing I''ve found so far is that shorewall does
not touch
>> the order of statements after ";" this time (compared to
"rules"), so
>> if I specify "INLINE ; -m nfacct --nfacct-name test -p 6 -m set
>> --match-set test src --dport 1234" that passes as-is (that,
obviously,
>> won''t pass iptables, but I am pleased that the order is
preserved in
>> whatever I throw after ";").
>No issues to report, except one or two suggestions:
>
>1. It would be nice if you could extend the nfacct syntax for ipsets to
>specify more than one nfacct object, separated by commas - in the way
>NFACCT(...) syntax currently is. For example:
"+dmz-net(dmz,dmz_in)".
Isn''t that already there?
>2. It would also be nice to extend the syntax for the exclamation mark
>in NFACCT(...) so that it may apply to individual nfacct objects. For
>example: "NFACCT(!dmz,dmz_in) - eth0:+dmz-net" - in this example
"dmz"
>nfacct object comes first, "dmz_in" comes last after the two
conditions
>- "-o eth0" and "m set --match-set dmz-net src" have
been met. Of
>course, if "NFACCT(dmz,dmz_in)!" is specified, then the
exclamation mark
>should apply (and it does) to both objects, while
"NFACCT(!dmz,dmz_in)!"
>should not be allowed.
I would like to release RC 1 next -- my wife is having major surgery this
week and I''m not going to be able to spend much time with Shorewall the
rest of the month.
>
>On a side note, I like the ability to select multiple nfacct objects in
>a single statement - very good idea this.
Good!

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom Eastep wrote:
> On 4/21/13 7:14 PM, "Dash Four"
<mr.dash.four@googlemail.com> wrote:
>
>   
>>> OK, the main thing I''ve found so far is that shorewall
does not touch
>>> the order of statements after ";" this time (compared to
"rules"), so
>>> if I specify "INLINE ; -m nfacct --nfacct-name test -p 6 -m
set
>>> --match-set test src --dport 1234" that passes as-is (that,
obviously,
>>> won''t pass iptables, but I am pleased that the order is
preserved in
>>> whatever I throw after ";").
>>>       
>> No issues to report, except one or two suggestions:
>>
>> 1. It would be nice if you could extend the nfacct syntax for ipsets to
>> specify more than one nfacct object, separated by commas - in the way
>> NFACCT(...) syntax currently is. For example:
"+dmz-net(dmz,dmz_in)".
>>     
>
> Isn''t that already there?
>   
Nope, I am getting an error if  I try that... "NFACCT(all,all_in) - 
+dmz-net(dmz,dmz_in)" gives me "ERROR: Invalid ipset name 
(+dmz-net(dmz)". Specifying "+dmz-net(dmz_in)" is OK.
>> 2. It would also be nice to extend the syntax for the exclamation mark
>> in NFACCT(...) so that it may apply to individual nfacct objects. For
>> example: "NFACCT(!dmz,dmz_in) - eth0:+dmz-net" - in this
example "dmz"
>> nfacct object comes first, "dmz_in" comes last after the two
conditions
>> - "-o eth0" and "m set --match-set dmz-net src"
have been met. Of
>> course, if "NFACCT(dmz,dmz_in)!" is specified, then the
exclamation mark
>> should apply (and it does) to both objects, while
"NFACCT(!dmz,dmz_in)!"
>> should not be allowed.
>>     
>
> I would like to release RC 1 next -- my wife is having major surgery this
> week and I''m not going to be able to spend much time with
Shorewall the
> rest of the month.
>   
No problem Tom, take your time - hope your missus has a successful one 
and recovers quickly after that.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/21/2013 07:37 PM, Dash Four wrote:
> 
> 
> Tom Eastep wrote:
>> On 4/21/13 7:14 PM, "Dash Four"
<mr.dash.four@googlemail.com> wrote:
>>
>>   
>>>> OK, the main thing I''ve found so far is that shorewall
does not touch
>>>> the order of statements after ";" this time (compared
to "rules"), so
>>>> if I specify "INLINE ; -m nfacct --nfacct-name test -p 6
-m set
>>>> --match-set test src --dport 1234" that passes as-is
(that, obviously,
>>>> won''t pass iptables, but I am pleased that the order
is preserved in
>>>> whatever I throw after ";").
>>>>       
>>> No issues to report, except one or two suggestions:
>>>
>>> 1. It would be nice if you could extend the nfacct syntax for
ipsets to
>>> specify more than one nfacct object, separated by commas - in the
way
>>> NFACCT(...) syntax currently is. For example:
"+dmz-net(dmz,dmz_in)".
>>>     
>>
>> Isn''t that already there?
>>   
> Nope, I am getting an error if  I try that... "NFACCT(all,all_in) - 
> +dmz-net(dmz,dmz_in)" gives me "ERROR: Invalid ipset name 
> (+dmz-net(dmz)". Specifying "+dmz-net(dmz_in)" is OK.
Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom Eastep wrote:
>> Nope, I am getting an error if  I try that... "NFACCT(all,all_in)
-
>> +dmz-net(dmz,dmz_in)" gives me "ERROR: Invalid ipset name 
>> (+dmz-net(dmz)". Specifying "+dmz-net(dmz_in)" is OK.
>>     
>
> Patch attached.
>   
Yep, that does it.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 04/22/2013 03:04 PM, Dash Four wrote:
> 
> 
> Tom Eastep wrote:
>>> Nope, I am getting an error if  I try that...
"NFACCT(all,all_in) -
>>> +dmz-net(dmz,dmz_in)" gives me "ERROR: Invalid ipset name
>>> (+dmz-net(dmz)". Specifying "+dmz-net(dmz_in)" is
OK.
>>>     
>>
>> Patch attached.
>>   
> Yep, that does it.
Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

>     To allow a nfobject to be incremented unconditionally, you may
>     follow the closing parenthesis with ''!'' (e.g.,
NFACCT(all)!). When
>     ''!'' is omitted, the object is incremented only if all
of the rule''s
>     matches succeed.
>
>     "!" is useful in the following rule:
>
> 	NFACCT(all)	-	+fooset[src]	+barset[dst](foobar)
>
>     In this rule, the ''all'' nfacc counter is incremented
>     unconditionally while the foobar counter is only incremented if
>     the packet SOURCE address is in fooset and the DEST address is in
>     barset.
>   
I have been wrecking my head to see whether "!" makes any sense in 
nfacct objects used in ipsets (i.e. "(foobar)!" in your example above)
and can''t think of any - the set match order is always the same 
regardless of whether I use "!" or not. In your example above it
doesn''t
make any difference whether I use "(foobar)" or "(foobar)!"
- the end
result is exactly the same.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/22/13 4:31 PM, "Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>>     To allow a nfobject to be incremented unconditionally, you may
>>     follow the closing parenthesis with ''!'' (e.g.,
NFACCT(all)!). When
>>     ''!'' is omitted, the object is incremented only if
all of the rule''s
>>     matches succeed.
>>
>>     "!" is useful in the following rule:
>>
>> 	NFACCT(all)	-	+fooset[src]	+barset[dst](foobar)
>>
>>     In this rule, the ''all'' nfacc counter is
incremented
>>     unconditionally while the foobar counter is only incremented if
>>     the packet SOURCE address is in fooset and the DEST address is in
>>     barset.
>>   
>I have been wrecking my head to see whether "!" makes any sense in
>nfacct objects used in ipsets (i.e. "(foobar)!" in your example
above)
>and can''t think of any - the set match order is always the same
>regardless of whether I use "!" or not. In your example above it
doesn''t
>make any difference whether I use "(foobar)" or
"(foobar)!" - the end
>result is exactly the same.
Of course. In a SOURCE or DEST list, ! (without a preceding
''.'') signals
exclusion. So you have an empty exclusion list when you add
''!''. I had no
intention of supporting the ''!'' any other way in the SOURCE
and DEST
columns.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

>> I have been wrecking my head to see whether "!" makes any
sense in
>> nfacct objects used in ipsets (i.e. "(foobar)!" in your
example above)
>> and can''t think of any - the set match order is always the
same
>> regardless of whether I use "!" or not. In your example above
it doesn''t
>> make any difference whether I use "(foobar)" or
"(foobar)!" - the end
>> result is exactly the same.
>>     
>
> Of course. In a SOURCE or DEST list, ! (without a preceding
''.'') signals
> exclusion. So you have an empty exclusion list when you add
''!''. I had no
> intention of supporting the ''!'' any other way in the
SOURCE and DEST
> columns.
>   
In other words, using "!" for nfacct objects within ipsets
won''t make
any sense (which is more or less what I pointed out above)? If so, this 
is currently allowed (i.e. "NFACCT(all) - +dmz-net(foo)!" is allowed).


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/22/13 4:54 PM, "Dash Four" <mr.dash.four@googlemail.com>
wrote:
>  
>
>>> I have been wrecking my head to see whether "!" makes any
sense in
>>> nfacct objects used in ipsets (i.e. "(foobar)!" in your
example above)
>>> and can''t think of any - the set match order is always the
same
>>> regardless of whether I use "!" or not. In your example
above it
>>>doesn''t
>>> make any difference whether I use "(foobar)" or
"(foobar)!" - the end
>>> result is exactly the same.
>>>     
>>
>> Of course. In a SOURCE or DEST list, ! (without a preceding
''.'') signals
>> exclusion. So you have an empty exclusion list when you add
''!''. I had
>>no
>> intention of supporting the ''!'' any other way in the
SOURCE and DEST
>> columns.
>>   
>In other words, using "!" for nfacct objects within ipsets
won''t make
>any sense (which is more or less what I pointed out above)? If so, this
>is currently allowed (i.e. "NFACCT(all) - +dmz-net(foo)!" is
allowed).
And it was allowed before the nfacct chang (e.g., +dmz-net!). Again, the
''!'' signals that any hosts listed after ''!''
should be excluded.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

> And it was allowed before the nfacct chang (e.g., +dmz-net!). Again, the
> ''!'' signals that any hosts listed after
''!'' should be excluded.
>   
Got it now, thanks.

Anyway, I''ve just implemented individual "!" in the NFACCT
statement by
hacking your Accounting.pm - I can attach a small patch for 
review/inclusion if you are interested, but be aware that it does change 
the syntax slightly in a sense that "!" needs to be specified for each
object within NFACCT() - "NFACCT(...)!" is no longer allowed.


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/22/13 5:07 PM, "Dash Four" <mr.dash.four@googlemail.com>
wrote:
>
>> And it was allowed before the nfacct chang (e.g., +dmz-net!). Again,
the
>> ''!'' signals that any hosts listed after
''!'' should be excluded.
>>   
>Got it now, thanks.
>
>Anyway, I''ve just implemented individual "!" in the
NFACCT statement by
>hacking your Accounting.pm - I can attach a small patch for
>review/inclusion if you are interested, but be aware that it does change
>the syntax slightly in a sense that "!" needs to be specified for
each
>object within NFACCT() - "NFACCT(...)!" is no longer allowed.
Sure -- send it along.

Thanks,
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Tom Eastep wrote:
> On 4/22/13 5:07 PM, "Dash Four"
<mr.dash.four@googlemail.com> wrote:
>
>   
>> Anyway, I''ve just implemented individual "!" in the
NFACCT statement by
>> hacking your Accounting.pm - I can attach a small patch for
>> review/inclusion if you are interested, but be aware that it does
change
>> the syntax slightly in a sense that "!" needs to be specified
for each
>> object within NFACCT() - "NFACCT(...)!" is no longer allowed.
>>     
>
> Sure -- send it along.
>   
Attached - the above caveat applies though.



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/22/13 6:27 PM, Dash Four wrote:
> 
> 
> Tom Eastep wrote:
>> On 4/22/13 5:07 PM, "Dash Four"
<mr.dash.four@googlemail.com> wrote:
>>
>>  
>>> Anyway, I''ve just implemented individual "!" in
the NFACCT statement by
>>> hacking your Accounting.pm - I can attach a small patch for
>>> review/inclusion if you are interested, but be aware that it does
change
>>> the syntax slightly in a sense that "!" needs to be
specified for each
>>> object within NFACCT() - "NFACCT(...)!" is no longer
allowed.
>>>     
>>
>> Sure -- send it along.
>>   
> Attached - the above caveat applies though.
This patch is relative to the Shorewall directory rather than the
''shorewall'' directory (which is the git base directory). I
can''t apply
it with ''git am''. I can apply the patch directly with
''patch'' but it
will look like my patch rather than yours. Or do you know a trick that I
don''t that allows such patches embedded in emails to be applied with
''git am'' ?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

On 4/22/13 7:45 PM, Tom Eastep wrote:
> On 4/22/13 6:27 PM, Dash Four wrote:
>>
>>
>> Tom Eastep wrote:
>>> On 4/22/13 5:07 PM, "Dash Four"
<mr.dash.four@googlemail.com> wrote:
>>>
>>>  
>>>> Anyway, I''ve just implemented individual "!"
in the NFACCT statement by
>>>> hacking your Accounting.pm - I can attach a small patch for
>>>> review/inclusion if you are interested, but be aware that it
does change
>>>> the syntax slightly in a sense that "!" needs to be
specified for each
>>>> object within NFACCT() - "NFACCT(...)!" is no longer
allowed.
>>>>     
>>>
>>> Sure -- send it along.
>>>   
>> Attached - the above caveat applies though.
> 
> This patch is relative to the Shorewall directory rather than the
> ''shorewall'' directory (which is the git base directory).
I can''t apply
> it with ''git am''. I can apply the patch directly with
''patch'' but it
> will look like my patch rather than yours. Or do you know a trick that I
> don''t that allows such patches embedded in emails to be applied
with
> ''git am'' ?
Never mind -- I hacked the email to add the extra directory level.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

Tom Eastep wrote:
> On 4/22/13 6:27 PM, Dash Four wrote:
>   
>> Tom Eastep wrote:
>>     
>>> On 4/22/13 5:07 PM, "Dash Four"
<mr.dash.four@googlemail.com> wrote:
>>>
>>>  
>>>       
>>>> Anyway, I''ve just implemented individual "!"
in the NFACCT statement by
>>>> hacking your Accounting.pm - I can attach a small patch for
>>>> review/inclusion if you are interested, but be aware that it
does change
>>>> the syntax slightly in a sense that "!" needs to be
specified for each
>>>> object within NFACCT() - "NFACCT(...)!" is no longer
allowed.
>>>>     
>>>>         
>>> Sure -- send it along.
>>>   
>>>       
>> Attached - the above caveat applies though.
>>     
>
> This patch is relative to the Shorewall directory rather than the
> ''shorewall'' directory (which is the git base directory).
I can''t apply
> it with ''git am''.
Yeah, apologies - I''ve made it based on the rpm root tree as I am 
building shorewall using rpmbuild.
>  I can apply the patch directly with ''patch'' but it
> will look like my patch rather than yours.
That''s fine - I don''t remember including any signed-off-by
signatures
(it was a "plain" patch), so I am not really that bothered whether it 
comes "from me" or not - the most important thing for me is its 
functionality, that''s all.
>  Or do you know a trick that I
> don''t that allows such patches embedded in emails to be applied
with
> ''git am'' ?
>   
The only thing I could suggest is what you''ve already done - altering 
the email, but as I already pointed out above - I am not really that 
bothered if I am shown to be "the author" or not.


------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

Dash Four wrote: 
> The only thing I could suggest is what you''ve already done -
altering
> the email, but as I already pointed out above - I am not really that 
> bothered if I am shown to be "the author" or not.
I hope it is not too late to request one minor correction, as far as 
nfacct object name matching is concerned (that will affect all NFACCT 
statements): Currently shorewall only matches/accepts a "word"
character
(i.e. [a-zA-Z_0-9]), but I would like to use other characters, like
"%",
"&", "@" and "~" (the latter two being
particularly important as this is
how I split my traffic into "sub-classes"). Would that be possible?

------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

On 04/25/2013 08:30 AM, Dash Four wrote:
> 
> Dash Four wrote: 
>> The only thing I could suggest is what you''ve already done -
altering
>> the email, but as I already pointed out above - I am not really that 
>> bothered if I am shown to be "the author" or not.
> I hope it is not too late to request one minor correction, as far as 
> nfacct object name matching is concerned (that will affect all NFACCT 
> statements): Currently shorewall only matches/accepts a "word"
character
> (i.e. [a-zA-Z_0-9]), but I would like to use other characters, like
"%",
> "&", "@" and "~" (the latter two being
particularly important as this is
> how I split my traffic into "sub-classes"). Would that be
possible?
Please give the attached patch a try. It also corrects a problem where
not all nfacct objects were created by the generated script.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

Tom Eastep wrote:
> On 04/25/2013 08:30 AM, Dash Four wrote:
>   
>> Dash Four wrote: 
>>     
>>> The only thing I could suggest is what you''ve already done
- altering
>>> the email, but as I already pointed out above - I am not really
that
>>> bothered if I am shown to be "the author" or not.
>>>       
>> I hope it is not too late to request one minor correction, as far as 
>> nfacct object name matching is concerned (that will affect all NFACCT 
>> statements): Currently shorewall only matches/accepts a
"word" character
>> (i.e. [a-zA-Z_0-9]), but I would like to use other characters, like
"%",
>> "&", "@" and "~" (the latter two
being particularly important as this is
>> how I split my traffic into "sub-classes"). Would that be
possible?
>>     
>
> Please give the attached patch a try. It also corrects a problem where
> not all nfacct objects were created by the generated script.
>   
Thanks, Tom - will give it a go when I get home in a few hours.

I had a quiet chuckle at all the Chains.pm changes you''ve made - I did 
look at that code before and was scratching my head how on earth is this 
going to insert the nfacct names into nfobjects (the variable you use to 
store all nfacct names), but since my perl skills were insufficient (I 
thought the "push" function "somehow did it") I let it all
go.

------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

Dash Four wrote:
>> Please give the attached patch a try. It also corrects a problem where
>> not all nfacct objects were created by the generated script.
>>   
> Thanks, Tom - will give it a go when I get home in a few hours.
All is in working order. There is a minor (cosmetic) change I did in 
Accounting.pm - see attached.

One other issue I stumbled upon - normally, nfacct objects are 
persistent (i.e. they survive shorewall reload/restart etc), but if I 
would like to wipe out the entire accounting table (and make sure that 
nothing is left out!) I usually need to run "nfacct flush". I tried 
doing that in "init", but got an error from iptables that the 
"accounting object does not exist" - I am assuming that this is
because
"init" runs *after* the new accounting objects have already been
added.

If that is indeed the case, is there a way I could instruct shorewall to 
wipe out the existing nfacct table at the precise moment where:

1. There are no iptables rules in existence; and
2. The *new* nfacct objects (the ones which will be used when shorewall 
starts) have not yet been created



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

On 04/25/2013 03:56 PM, Dash Four wrote:
> 
> Dash Four wrote:
>>> Please give the attached patch a try. It also corrects a problem
where
>>> not all nfacct objects were created by the generated script.
>>>   
>> Thanks, Tom - will give it a go when I get home in a few hours.
> All is in working order. There is a minor (cosmetic) change I did in
> Accounting.pm - see attached.
> 
> One other issue I stumbled upon - normally, nfacct objects are
> persistent (i.e. they survive shorewall reload/restart etc), but if I
> would like to wipe out the entire accounting table (and make sure that
> nothing is left out!) I usually need to run "nfacct flush". I
tried
> doing that in "init", but got an error from iptables that the
> "accounting object does not exist" - I am assuming that this is
because
> "init" runs *after* the new accounting objects have already been
added.
No -- it is because init is run while the current objects are still in
use by the current ruleset. Because Shorewall uses iptables-restore,
there is never a point where it is guaranteed that no nfobjects are in
use. The only way to do what you want is to place the ''nfacct
flush''
command in the stopped script and do a "shorewall stop; shorewall
start"
> 
> If that is indeed the case, is there a way I could instruct shorewall to
> wipe out the existing nfacct table at the precise moment where:
> 
> 1. There are no iptables rules in existence; and
There is not such a point during restart.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

Tom Eastep wrote:
> On 04/25/2013 03:56 PM, Dash Four wrote:
>   
>> Dash Four wrote:
>>     
>>>> Please give the attached patch a try. It also corrects a
problem where
>>>> not all nfacct objects were created by the generated script.
>>>>   
>>>>         
>>> Thanks, Tom - will give it a go when I get home in a few hours.
>>>       
>> All is in working order. There is a minor (cosmetic) change I did in
>> Accounting.pm - see attached.
>>
>> One other issue I stumbled upon - normally, nfacct objects are
>> persistent (i.e. they survive shorewall reload/restart etc), but if I
>> would like to wipe out the entire accounting table (and make sure that
>> nothing is left out!) I usually need to run "nfacct flush". I
tried
>> doing that in "init", but got an error from iptables that the
>> "accounting object does not exist" - I am assuming that this
is because
>> "init" runs *after* the new accounting objects have already
been added.
>>     
>
> No -- it is because init is run while the current objects are still in
> use by the current ruleset. Because Shorewall uses iptables-restore,
> there is never a point where it is guaranteed that no nfobjects are in
> use. The only way to do what you want is to place the ''nfacct
flush''
> command in the stopped script and do a "shorewall stop; shorewall
start"
>   
Yeah, that''s good, suits me fine, thanks.


------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr