I realize I should have sent a trace in addition to the information below. That trace is attached. I used -T in the trace since this seems to be a perl thing. Parsing of the SOURCE goes wrong in isolate_source_interface. Given a rule with SOURCE of "uw:ref.cac.washington.edu" the zone is stripped off leaving "ref.cac.washington.edu" and in isolate_source_interface it ends up in the else clause of the code below which is incorrect.
if ( $family == F_IPV4 ) {
if ( $source =~ /^(.+?):(.+)$/ ) {
$iiface = $1;
$inets = $2;
} elsif ( $source =~ /^!?(?:\+|&|~|%|\^|\d+\.)/ ) {
$inets = $source;
} else {
$iiface = $source;
}
This seems like very core parsing so I'm not sure why I'd be hitting
this and thus don't feel like I should be trying to second guess the
pattern matching and offer a patch.
-Eric
On Fri, Jan 11, 2013 at 4:47 PM, Eric Horst <[email protected]> wrote:
> We don't upgrade very often, today I'm going from 4.4.25.2 to
> 4.5.11.2. I've upgraded and am working through the "shorewall check"
> to ensure that our configs are compatible and fixing any changes. I've
> been through the docs and upgrade notes several times on this one.
>
> We have a single-interface firewall which is used to protect the
> firewall host only i.e. a host-based firewall. This is in use on about
> 600 servers.
>
> interfaces:
> - enet physical=+
>
> hosts:
> net enet:0.0.0.0/0
> uw enet:$N_ALL_UW_AFFILIATED
>
> zones:
> host firewall
> uw ipv4
> net ipv4
>
>
> This is the typical format of a rule in the rules file (included by a
> SHELL directive):
> ACCEPT uw:homer.u.washington.edu host 22
>
> After upgrading to 4.5.11.2 and running shorewall check I get this error:
> ERROR: Unknown Interface (homer.u.washington.edu)
> SHELL@/etc/shorewall/rules:17 (line 96)
> from /etc/shorewall/rules (line 17)
>
> This can be fixed by adding the interface name like this:
> ACCEPT uw:enet:ref.cac.washington.edu host 22
>
> Yet the docs imply that the interface is optional (by showing it in
> square brackets) as it always has in the past:
>
> SOURCE -
> {zone|zone-list[+]|{all|any}[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list}
>
> I don't really want to go through all our rules to add this and try to
> retrain all my people to remember to put it in since it's supposed to
> be optional. Did I not not read some recent change that made this
> non-optional? Or are there config elements that now cause it to be
> required?
>
> Thanks,
>
> -Eric
trace.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_123012
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
