On 01/06/2013 07:10 AM, Mr Dash Four wrote: > These relate to shorewall version 4.5.11 and above: > > 1. ADD(setname:flags) (same with DEL) does not work with sets containing > the "-" character (such sets are accepted by shorewall anywhere else): > > rules > ~~~~~ > ADD(+mickey-mouse:dst,dst) $FW net > > Gives me "ERROR: Expected ipset name (mickey-mouse)".
Hmmm - That rule compiles error-free for me; git shows that bug was
corrected in a commit on October 2 of last year.
>
> In addition, I don't see any sense whatsoever in restricting "setname"
> to start with the plus sign (+) - in other places, like "rules",
> "blrules" etc, set names must be distinguished from, say, zones,
> therefore adding "+" makes perfect sense there, but in the ADD/DEL
> commands/actions the "setname" can only be .... erm, a set name, so I
> don't see why the "+" is needed there - set names should be specified as
> a string of characters, without the requirement of prepending them with
> a "+". In other words "ADD(mickey-mouse:dst,dst)" should be allowed.
Agreed. Change will be in Beta 4.
>
> 2. Multiple ?IF ... ?ELSE ... ?ENDIF statements for a "single-line"
> iptables statement in custom action does not work:
>
> actions
> ~~~~~~~
> IELOG inline # $1=accept|drop|reject - if specified, add AUDIT($1) action
> # $2='log' - If specified, add LOG statement.
> # $3=<switch_suffix> - if specified, add a switch (in the
> form of @{chain}_$3)
> # $4 - if specified, add action (DROP, ACCEPT etc) at the
> end to be executed
>
> action.IELOG
> ~~~~~~~~~~~~
> ?IF $1
> AUDIT($1)
> ?IF $3
> ; switch:@{chain}_$3
> ?ENDIF
> ?ENDIF
> ?IF $2 && ($2 eq 'log')
> LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)
> ?IF $3
> ; switch:@{chain}_$3
> ?ENDIF
> ?ENDIF
> ?IF $4
> $4
> ?IF $3
> ; switch:@{chain}_$3
> ?ENDIF
> ?ENDIF
>
>
> rules
> ~~~~~
> # The idea of the following action below is to produce:
> # "AUDIT(drop) $FW net ; switch:fw2net_mamas", followed by
> # "LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid) $FW net ;
> switch:fw2net_mamas" and finally
> # "DROP $FW net ; switch:fw2net_mamas"
> IELOG(drop,log,mamas,DROP) $FW net
>
> The above, though, gives me " ERROR: TARGET must be specified".
> "Joining" the lines in IELOG using "\" did not have any effect (still
> gives me an error).
If you code action.IELOG as follows, it works:
?FORMAT 2
?IF $1
AUDIT($1) \
?IF $3
; switch:@{chain}_$3
?ELSE
?ENDIF
?ENDIF
?IF $2 && ($2 eq 'log')
LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid) \
?IF $3
; switch:@{chain}_$3
?ELSE
?ENDIF
?ENDIF
?IF $4
$4 \
?IF $3
; switch:@{chain}_$3
?ELSE
?ENDIF
?ENDIF
teastep@gateway:~/test$ shorewall check -r .
...
-A fw2net -m condition --condition fw2net_mamas -j AUDIT --type drop
-A fw2net -m condition --condition fw2net_mamas -j LOG --log-tcp-options
--log-ip-options --log-macdecode --log-tcp-sequence --log-uid
--log-level 6 --log-prefix "Shorewall:fw2net:LOG:"
-A fw2net -m condition --condition fw2net_mamas -j DROP
...
teastep@gateway:~/test$
You need the blank ?ELSE parts because of line continuation in the event
that arguments are omitted.
>
> 3. "SECTION RELATED" ("rules") problems:
>
> Lets assume that I have defined the following IELOG action:
>
> action.IELOG
> ~~~~~~~~~~~~
> ?IF $1 && ($1 eq 'log')
> LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence)
> ?ENDIF
> ?IF $2
> NFLOG($2,0,1)
> ?ENDIF
> ?IF $3
> NFLOG($3,0,1)
> ?ENDIF
> ?IF $4
> AUDIT($4)
> ?ENDIF
> ?IF $5
> $5
> ?ENDIF
>
> rules
> ~~~~~
> SECTION RELATED
>
> # local
> ACCEPT $FW local icmp destination-unreachable
> IELOG(log,1,2,-,ACCEPT) $FW local
> ACCEPT local $FW icmp destination-unreachable
> IELOG(log,1,2,-,ACCEPT) local $FW
>
> Produces this:
>
> [...]
> -A fw2local -p 1 --icmp-type 3 -m conntrack --ctstate RELATED -j ACCEPT
> -A fw2local -j LOG --log-uid --log-tcp-options --log-ip-options
> --log-macdecode --log-tcp-sequence --log-level 6 --log-prefix
> "Shorewall:fw2local:LOG:" -m comment --comment "IELOG"
> -A fw2local -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1
> --nflog-prefix "Shorewall:fw2local:LOG:" -m comment --comment "IELOG"
> -A fw2local -j ACCEPT -m comment --comment "IELOG"
> -A fw2local -m conntrack --ctstate RELATED -g A_DROP
> [...]
> -A local2fw -p 1 --icmp-type 3 -m conntrack --ctstate RELATED -j ACCEPT
> -A local2fw -j LOG --log-uid --log-tcp-options --log-ip-options
> --log-macdecode --log-tcp-sequence --log-level 6 --log-prefix
> "Shorewall:local2fw:LOG:" -m comment --comment "IELOG"
> -A local2fw -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1
> --nflog-prefix "Shorewall:local2fw:LOG:" -m comment --comment "IELOG"
> -A local2fw -j ACCEPT -m comment --comment "IELOG"
> -A local2fw -m conntrack --ctstate RELATED -g A_DROP
>
> The above statements should all be with a "--cstate RELATED" match
> (possibly in a separate chain as well to avoid multiple "--cstate
> RELATED" comparisons - see bug 4 next, below), but aren't.
Yep. General problem of inline actions invoked in sections other than
NEW. Patch RELATED.patch attached.
I'll respond to the other issues as time permits.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 3fff9d1..01c6edb 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2322,7 +2322,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
);
}
- unless ( $section eq 'NEW' || $inchain ) {
+ unless ( $section eq 'NEW' || $inaction ) {
if ( $config{FASTACCEPT} ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
$section eq 'BLACKLIST' ||
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_123012
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
