On 3/25/12 9:14 AM, "Mr Dash Four" <[email protected]> wrote:
> >> I've been beavering away at such a thing which will be in the next Beta. >> >I'll give you a hand with the testing as I am eager to get this out >probably as much as you do! ;-) > >I'll have some more time available next week, so I envisage plenty of >time for shorewall testing. Good. I'll upload Beta3 today. > >I found two other (non-critical) issues yesterday: > >1. OWNER_MATCH sniffing > >Your "OWNER_MATCH" capability is currently sniffed by the following in >lib.cli: >qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes > >While this may indicate owner match is available, it does not properly >account for "-m owner --uid-owner root" (note that this is a name, not a >numeric representation!), which might not be available on all systems >(only numeric value may be available with no name-to-number mapping). > >In other words, your "OWNER_MATCH" is in fact UID_MATCH. If you need to >implement a proper OWNER_MATCH, then you have to use "qt $g_tool -A >$chain -m owner --uid-owner root -j ACCEPT && OWNER_MATCH=Yes" instead. > >The reason I am highlighting this and make this distinction is because >in my case "-m owner --uid-owner 0" works quite happily, but if I have >"-m owner --uid-owner root" that produces an error as nss and other such >user-mapping services although implemented, are non-standard (hence why >I had this "id not found" error message a while ago). > >So, what I think you can do is have two separate capabilities: UID_MATCH >(formerly OWNER_MATCH) which has the above sniffer, but also have >another - new - OWNER_MATCH, which sniffs by using a name, i.e. "-m >owner --uid-owner root". I'll look at it. > >2. During start, using the latest 4.5.1 version of shorewall I get the >following warnings: > >Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in >numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042, ><$currentfile> line 13. >Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in >numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042, ><$currentfile> line 14. >Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in >numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042, ><$currentfile> line 15. >Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in >numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042, ><$currentfile> line 16. >Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in >numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042, ><$currentfile> line 22. >Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in >numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042, ><$currentfile> line 23. >Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in >numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042, ><$currentfile> line 24. >Mar 24 22:42:14 dmz1 shorewall[839]: Use of uninitialized value in >numeric eq (==) at /usr/share/perl5/Shorewall/Tc.pm line 1042, ><$currentfile> line 25. > >Don't know what that really is and whether I should be worried, but it >seems shorewall is working without any issues. I also ran into that the other day. It's harmless, and I've eliminated the noise in Beta3. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
