On 02/01/2013 08:01 PM, Mr Dash Four wrote: > >> 1) There are now two new sections in the rules file: >> >> INVALID [...] NOTRACK_DISPOSITION >> >> Valid values are CONTINUE, ACCEPT, DROP, REJECT, A_ACCEPT and >> A_DROP. >> >> The default is CONTINUE, which provides compatibility with earlier >> releases (the packets are subject to the rules in the NEW >> section). >> >> NOTRACK_LOG_LEVEL. >> >> Determines logging of packets handled by NOTRACK_DISPOSITION. Empty >> by default (no logging). >> > 1. Optimise same-jump and same-match rules which have different > states: > > -A net2fw -m conntrack --ctstate ESTABLISHED -j ACCEPT -A net2fw -m > conntrack --ctstate RELATED -j ACCEPT > > could be optimised to > > -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Yes -- as I stated in my earlier post, there is still areas for improvement in optimizing state handling. > > 2. INVALID_DISPOSITION: A_REJECT, A_ACCEPT and ACCEPT were accepted > by shorewall (no errors were given), though these were ultimately > ignored as no iptables rules were produced. > > At an earlier stage of the testing of this, INVALID_DISPOSITION > option seemed to be completely ignored whatever value I specified - > if I have "INVALID_DISPOSITION=DROP" in shorewall.conf for example, > there was nothing generated with INVALID state match and DROP jump. > Unfortunately, I was not able to reproduce this at the later stages. Patch attached. Note that it removes A_ACCEPT and ACCEPT from the possible choices for INVALID_DISPOSITION (which is as documented). > > 3. UNTRACKED_DISPOSITION (this is listed as NOTRACK_DISPOSITION in > the announcement above, though "shorewall update" converts it and > treats it as UNTRACKED_DISPOSITION): CONTINUE works, ACCEPT and > A_ACCEPT are ignored completely for whatever reason (I expected -j > ACCEPT/A_ACCEPT), A_DROP is accepted and works (this wasn't in the > announcement) and A_REJECT is accepted (no syntax error is given), > but ultimately no iptables rule is produced. The attached patch should correct that problem as well. > > The strangest thing for UNTRACKED_DISPOSITION as well was, that at > one stage (at the beginning of the testing) I was able to produce an > adequate rule only for some of the chains: I had the appropriate > "--cstate UNTRACKED -j <ACTION>" generated for my fw2local and > local2fw for example, but not for fw2net and net2fw chains. Again, I > was unable to reproduce this later on, unfortunately! There are two cases for handling <state>_DISPOSITION; one where the secondary chain is created and one where it is not. One of them was probably broken earlier (this was also the case in the problem corrected by the attachment). > > 4. "SECTION UNTRACKED" is accepted (while "SECTION NOTRACK" isn't) as > a section statement in (at least) "rules" (not that I am complaining > as to me it is more intuitive) - "ERROR: Invalid SECTION (NOTRACK)" > is shown. Yes -- obviously a typo in the release notes. > > 5. Similar to 1. above: if I have exactly the same statements in any > two sections in "rules" (say INVALID and UNTRACKED), the chain itself > is properly optimised, but the "state" isn't. I get this instead: > > -A fw2net -m conntrack --ctstate INVALID -j ~comb0 -A fw2net -m > conntrack --ctstate UNTRACKED -j ~comb0 > > That should have been "-A fw2net -m conntrack --ctstate > INVALID,UNTRACKED -j ~comb0" > That's an even harder case for the compiler to detect. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index b2c663b..f455f88 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -5348,7 +5348,7 @@ sub get_configuration( $$$$ ) {
}
if ( $val = $config{INVALID_DISPOSITION} ) {
- if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
+ if ( $val =~ /^(?:A_)?DROP$/ ) {
$globals{INVALID_TARGET} = $val;
} elsif ( $val eq 'REJECT' ) {
$globals{INVALID_TARGET} = 'reject';
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 5af80ba..b12610d 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -950,6 +950,8 @@ sub finish_chain_section ($$$) {
delete $state{ESTABLISHED};
}
+ $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+
add_ijump( $chainref, g => $target, state_imatch $_ );
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
