On May 1, 2011, at 4:24 PM, Mr Dash Four wrote: > >> The attached patch corrects both issues. As I mentioned above, a 0x prefix >> is required if the device number is not numeric. >> > That, for me, partially works: > > tcdevices: > 1. 0A:eth0 is silently accepted (it gives an error only when it is used) > 2. 0xA:eth0 - ERROR: Invalid interface NUMBER (0xA) > 3. A:eth0 is silently accepted (the only way this interface could be used is > by referring to it by "eth0", otherwise it triggers an error)
Given that there is no ambiguity in the tcdevices file, the last form is all that the patch supports. The patch attached to this post allows the second form. Supporting the first form requires a patch that is too extensive to include in a patch release. > > I was unable to test the second part of this patch fully (it works when the > interface is referred to by its "native" name, i.e. "eth0:1" triggers an > error as expected, but I'd like to test this with the aliases above to make > sure). > > 4. > tcdevices: > A:eth0 - 100mbit classify,hfsc > [...] > > tcclasses: > eth0:11 - 10*full/100:50ms 20*full/100 1 tcp-ack > [...] > > Passes compilation, but triggers the following error: > > shorewall[1566]: RTNETLINK answers: Invalid argument > shorewall[1566]: We have an error talking to the kernel > shorewall[1566]: ERROR: Command "tc filter add dev eth0 parent 10:0 > protocol ip prio 266 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 > match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid a:11" Failed The second attached patch should fix this one. > > > Finally, I found what I think is ipsets syntax bug in shorewall. This is what > I tested in the rules file: > > 1. "ACCEPT:info $FW net:!+[my-host[src]],+ssh-host[dst] tcp" produces this: > > Chain fw2net (1 references) > pkts bytes target prot opt in out source > destination > 0 0 ~excl0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain ~excl0 (1 references) > pkts bytes target prot opt in out source > destination > 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > match-set my-host src > 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 > match-set ssh-host dst > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > LOG flags 0 level 6 prefix `Shorewall:fw2net:ACCEPT:' > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > If we are to accept that the above is correct, meaning "!" has an effect on > the whole line after the "!" sign I then have two more tests: That is the way that Shorewall exclusion lists have always worked. So we can't change that without breaking people's existing configurations. > > 2. "ACCEPT:info $FW net:!+my-host[src],!+ssh-host[dst] tcp" produces > "ERROR: Invalid DEST network list (!+my-host[src],!+ssh-host[dst])" - fair > enough - it does not accept double negatives, though I think it should. Again, this is the way that Shorewall exclusion lists have always worked. ',!' is never accepted. > > 3. But then "ACCEPT:info $FW > net:!10.1.0.7,10.1.0.9,+[!my-host[src]],+[!ssh-host[dst]] tcp" produces this: > > Chain fw2net (1 references) > pkts bytes target prot opt in out source > destination > 0 0 ~excl0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 > ! match-set my-host src > 0 0 ~excl0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 > ! match-set ssh-host dst > > Chain ~excl0 (2 references) > pkts bytes target prot opt in out source > destination > 0 0 RETURN all -- * * 0.0.0.0/0 10.1.0.7 > > 0 0 RETURN all -- * * 0.0.0.0/0 10.1.0.9 > > 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 > LOG flags 0 level 6 prefix `Shorewall:fw2net:ACCEPT:' > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > Which it shouldn't if we are to assume that 1 above is right! > The +[...] construct is hiding the double negative from the top-level list validator. I'll work on a patch that rejects such a rule. -Tom
TC1.patch
Description: Binary data
Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
