On 11/25/2012 05:00 AM, Mr Dash Four wrote:
Quite a meaty release this...
1) The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now
support the UNTRACKED state. See the manpages for details.
From the man page: "CHAIN:STATE (chain) -
{P|I|F|O|T}[:{N|I|U|NI|NU|NIU|NUI:E|ER}]". Could you add IU (or UI, if you prefer)
state as well?
Done -- it is commit dbfc8057077950a909d27a5ce1b00f802730a1ff.
6) An additional format (3) has been added to the conntrack files. In
this format, zone names are not used in the SOURCE column; rather,
a suffix in the ACTION column determines which raw-table chain the
generated Netfilter rule will be placed in. See the manpages for
details.
Quite a lot of issues here:
1. http://www.shorewall.net/manpages/shorewall-conntrack.html is a dead link (Shorewall
-> Documentation -> IPv4 man pages -> conntrack)
Corrected -- thanks.
2. From the man pages for conntrack:
ACTION - {NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}[:chain-designator]
This column is only present when FORMAT = 2. Values other than
NOTRACK or DROP require CT Targetsupport in your iptables and kernel.
* NOTRACK or CT:notrack
Disables connection tracking for this packet.
* DROP
Added in Shorewall 4.5.10. Silently discard the packet.
[...]
Beginning with Shoreall 4.5.10, when FORMAT = 3, this column can end with a
colon followed by a chain-designator. The chain-designator can be one of the
following:
P The rule is added to the raw table PREROUTING chain. This is the
default if no chain-designator is present.
O The rule is added to the raw table OUTPUT chain.
PO or OP The rule is added to the raw table PREROUTING and OUTPUT
chains.
OK, so I assume that if FORMAT=3, ACTION column should NOT be present, right?
If so, how do I use DROP or any other actions then?
The action column is present and may contain DROP. Manpages corrected.
3. "DROP" is not included as being allowed in the ACTION column in the
ACTION format specified in that man page (assuming that it is and the
correct format is
"{DROP|NOTRACK|CT:helper:name[(arg=val[,...])|CT:notrack}[:chain-designator]").
Correct.
4. Moving on, and ignoring the above "FORMAT=2 only" text in the man
page and also assuming that the correct format for "FORMAT 3" is to
include the ACTION column with the format I specified in 3 above,
including the "DROP" action:
conntrack
~~~~~~~~~
DROP:O :+baddies-set[dst]
Gives me "ERROR: Invalid notrack ACTION ( DROP:O )"
Duh -- tested 'P' and 'PO' but not 'O'; patch attached.
5. FORMAT 3 itself:
From the man page (conntrack):
[...]
in FORMAT 3, the SOURCE column accepts no zone name; rather the ACTION column allows
a SUFFIX that determines the chain(s) that the generated rule will be added to."
[...]
SOURCE (formats 1 and 2) - {zone[:interface][:address-list]|COMMENT}
[...]
SOURCE (formats 3) - {-|[:interface][:address-list}
Why can't you get rid of the ":chain-designator" from ACTION (FORMAT 3) and
have the following in SOURCE instead:
I considered that approach but rejected.
1) A chain is not a SOURCE and using a chain-designator in place of
a zone is not intuitive.
2) The chain-designator suffix is already well-established in the
tcrules file.
3) As you point out below, additional hackery is required to resolve
zone/chain-designator name collisions.
Finally - a suggestion (new feature): would it be possible to add SWITCH column
to actions/macros?
It's already there -- just not documented.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index 0e5a120..31b6e6d 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -260,7 +260,7 @@ sub setup_conntrack() {
} else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
- } elsif ( $action =~ s/:0$// ) {
+ } elsif ( $action =~ s/:O$// ) {
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
