https://wiki.debian.org/Janitor lintian-brush UNRELEASED The Barlaque Release - FIXME: uruk-save should save _all_ chains, in order to cooperate with user defined chains like e.g. DOCKER-INGRESS and DOCKER-USER. Thanks Lars Biemans for reporting this issue - (See doc/debian-bug-704807.mbox doc/debian-bug-705687.mbox doc/debian-bug-720306.mbox ) - #925297 uruk: migrate from iptables and ip6tables to nftables From: Joost van Baal-Ilić Date: Fri, 22 Mar 2019 16:28:30 +0100 ------------------------------------------------------------------------------ - FIXME: deal sane with nics with : or - or @ in their name. (NB: since 2 sept 2024 this is partially fixed.) We've encountered names like br-6db7f6344a04 and eth0:1 and docker@if2 for nics. this code: for iface in ${interfaces} do eval "is=\$ips_${iface}" currently breaks on it. dash(1): "Variables set by the user must have a name consisting solely of alphabetics, numerics, and underscores - the first of which must not be numeric." i guess best way to deal with it: sources_three_default_udp_syslog nicname_three="eth3" if, for a found nic "foo", no nicname_blah exists, then assume "foo" is the nicname: full backwards compatibility for iface in ${interfaces} do something smarter also: we have code duplication: 4 times in uruk.in we do: eval "is=\$ips_${iface}" case $is in '') interfaces_x=$iface ;; *) interfaces_x= for i in $is do interfaces_x="$interfaces_x ${iface}_$i" done esac FIXME: stick that in some function? todo: grasp the meaning of all that code: typically we have: interfaces="eth0 eth1" ips_eth1="default local" ip_eth1_local=10.0.0.1 . What could ${iface}_$i possibly be!? a fully featured test case: interfaces="eth0 three" ips_eth0=default ip_eth0_default=10.56.0.201 ip6_eth0_default=2006:488:1a9b::4a54:e8ff:fe2b:f25c ips_three="default local" ip_three_default=192.168.0.4 ip_three_local=10.0.0.1 nicname_three="a:b-c" services_eth0_default_tcp="mail local" sources_eth0_default_tcp_mail="10.0.0.0/24 192.0.32.0/24" sources_eth0_default_tcp_local="10.56.0.0/16" ports_eth0_default_tcp_mail=smtp ports_eth0_default_tcp_local="ssh ftp" services_three_default_tcp="web" sources_three_default_tcp_web="::/0" ports_three_default_tcp_web="80 443" test it by running: URUK_CONFIG=my/uruk/rc URUK_IPTABLES='echo iptables' URUK_IP6TABLES='echo ip6tables' uruk NB: init/autodetect-ips also would need an overhaul... and how backwards compatible do we want to be there....? current list of nics: % ip a | grep '^[^ ]' | cut -d: -f2 | sed 's/^ *//' see also its-unix/doc/uruk-docker-bug-log.pod (and https://fruit.je/docker-and-iptables) (and its-unix/systems/kakuna usr/local/sbin/docker-netns ) ------------------------------------------------------------------------------ 2020-07 add PDX-License-Identifier to sources нед 12 09:14 < joostvb> # SPDX-License-Identifier: GPL-2.0-or-later нед 12 09:14 < joostvb> zo werkt t dus https://spdx.dev/ids/ ---- уто 04 14:17 < Fruit> en GOED TESTEN ---- deal with https://bugs.debian.org/704807 "autodetect non-routable nets". see also uruk-pkg/autodetect-nonroutable.diff ---- FIXME: stop dit in documentatie: Date: Wed, 9 Mar 2016 11:10:41 +0100 From: Casper Gielen Subject: Uruk met VLANs op Debian Message-ID: <56DFF6A1.8000203@uvt.nl> voor de Uruk Knowledge Base: Uruk met VLANS op Debian ======================== 1. Installeer het debian pakket "vlan"; 2. gebruik "vlan" in /etc/network/interfaces en /etc/uruk/*; 3. voeg een "vlan-raw-device" statement toe aan /etc/network/interfaces. Toelichting =========== Uruk is niet compatible met de standaard Linux/Debian VLAN-benaming omdat er een puntje in de naam zit en dat mag niet in een Bash-variable. De simpele oplossing is om een naam te nemen zonder puntje maar /etc/network/interfaces eist tegenwoordig juist dat er een puntje in de naam zit. Het alternatief is om het oude systeem te gebruiken zoals aangeboden door het 'vlan' package. Examples ======== ===/etc/network/interfaces=== # vlan95 = XM auto vlan95 iface vlan95 inet static address 137.56.126.123 netmask 255.255.255.0 gateway 137.56.126.1 vlan-raw-device eth0 ===/etc/uruk/rc=== interfaces='vlan95' ip_vlan95='137.56.126.1234' ip6_vlan95='3001::1:2:3:4' services_vlan95_tcp="ssh http" ... ---- fix in RPM: #796700 - uruk: Has init script in runlevel S but no matching service file Thanks fsateler@debian.org ---- do not ship rpm package until this is fixed: root@v:~# rpm -q --list iptables-ipv6 | grep lib /lib64/iptables/libip6t_CONNMARK.so /lib64/iptables/libip6t_DSCP.so /lib64/iptables/libip6t_HL.so /lib64/iptables/libip6t_LOG.so /lib64/iptables/libip6t_MARK.so /lib64/iptables/libip6t_NFQUEUE.so /lib64/iptables/libip6t_REJECT.so /lib64/iptables/libip6t_TRACE.so /lib64/iptables/libip6t_ah.so /lib64/iptables/libip6t_connmark.so /lib64/iptables/libip6t_dscp.so /lib64/iptables/libip6t_dst.so /lib64/iptables/libip6t_eui64.so /lib64/iptables/libip6t_frag.so /lib64/iptables/libip6t_hbh.so /lib64/iptables/libip6t_hl.so /lib64/iptables/libip6t_icmpv6.so /lib64/iptables/libip6t_ipv6header.so /lib64/iptables/libip6t_length.so /lib64/iptables/libip6t_limit.so /lib64/iptables/libip6t_mac.so /lib64/iptables/libip6t_mark.so /lib64/iptables/libip6t_multiport.so /lib64/iptables/libip6t_owner.so /lib64/iptables/libip6t_physdev.so /lib64/iptables/libip6t_policy.so /lib64/iptables/libip6t_rt.so /lib64/iptables/libip6t_standard.so /lib64/iptables/libip6t_state.so /lib64/iptables/libip6t_tcp.so /lib64/iptables/libip6t_udp.so root@v:~# service uruk force-reload Checking uruk (iptables): active uruk rules loaded Checking uruk (ip6tables): active uruk rules loaded Flushing all current iptables rules. Loading IPv4 uruk rules. Saving iptables ruleset: save "active" with counters. Flushing all current ip6tables rules. Loading IPv6 uruk rulesip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory root@v:~# rpm -q iptables-ipv6 iptables-ipv6-1.3.5-9.2.el5_8 Description: Red Hat Enterprise Linux Server release 5.11 (Tikanga) not supported by kernel? users of these system should explicitly disable IPv6 support in uruk? ---------- init script is buggy: - force-reload does not behave according to specs - reload should be supported ( restart stop and restart the service if it's already running, otherwise start the service reload cause the configuration of the service to be reloaded without actually stopping and restarting the service, force-reload cause the configuration to be reloaded if the service supports this, otherwise restart the service. The start, stop, restart, and force-reload options should be supported by all scripts in /etc/init.d, the reload option is optional. чет 02 10:16 < casper> https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.3.2 ) one possible solution: enforce running uruk in uruk_save-mode; no longer support setups having enable_uruk_save=false. reload and force-reload should act the same ------ Wessel fixt dit: пон 30 11:34 < joostvb_thuis> we weten nog niet of r n uruk-bug is, wel? пон 30 11:34 < joostvb_thuis> met dat gedoe met uruk is not running пон 30 11:34 < Fruit> volgens mij is het een transitieprobleem пон 30 11:35 < Fruit> maar dat weet ik niet 100% zeker пон 30 11:35 < joostvb_thuis> en dus niet 100% zeker of dat transitieprobleem in uruk zit пон 30 11:35 < joostvb_thuis> of in de debian packaging пон 30 11:35 < joostvb_thuis> of in onze zut пон 30 11:35 < Fruit> combi пон 30 11:36 < Fruit> mijn hypothese is dat als je overschakelt naar uruk_save en er draaide al een uruk, dat-ie dat dan niet doorheeft пон 30 11:36 < joostvb_thuis> klinkt best aannemelijk пон 30 11:36 < Fruit> want hij is gestart zonder uruk_save пон 30 11:36 < Fruit> dus geen save-file aangemaakt пон 30 11:36 * joostvb_thuis gaat t tot de bodem uitzoeken пон 30 11:37 < Fruit> ik heb wel de nieuwe uruk draaien op pichu пон 30 11:37 < Fruit> fwiw пон 30 11:37 < joostvb_thuis> die .deb prerelease? пон 30 11:37 < Fruit> ja ========================== somewhat less urgent issues ---- пон 30 11:38 < Fruit> ik heb trouwens opeens een file /etc/uruk/extra.d/version пон 30 11:39 < Fruit> terwijl ik me niet kan herinneren die ooit aangemaakt te hebben пон 30 11:39 < Fruit> er zit een datum in de toekomst in пон 30 11:39 < Fruit> version=20160319 пон 30 11:41 < joostvb_thuis> zou n bug in uruk/NEWS kunnen zijn пон 30 11:41 < joostvb_thuis> dat dat niet gemeld wordt ------ think about systemd (and runit, while we're at it). ship a systemd (or go with lsb hack firing of systemd stuff via traditional init script) and a daemontools init thingie ------- document $uruk_version ------ document this: сре 20 16:41 < Fruit> joostvb: sctp-support in uruk zou handig zijn сре 20 16:46 < Fruit> joostvb: misschien ook meteen dccp dan maar --protocol protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the spe‐ cial keyword "all", or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. "all" will match with all protocols and is taken as default when this option is omitted. Note that, in ip6tables, IPv6 extension headers except esp are not allowed. esp and ipv6-nonext can be used with Kernel version 2.6.11 or later. in script/uruk, see "for proto in tcp udp" and "--tcp-flags" see also iptables-extensions(8) - for proto in tcp udp + for proto in dccp sctp tcp udp sctp: find out about --chunk-types (vs --tcp-flags in tcp-case) --------------- phase out sources6 in uruk? is there still a use-case? ----- if uruk is configured for ipv4, but not for ipv6, it should block all ipv6 traffic. if uruk is configured for ipv6, but not for ipv4, it should block all ipv4 traffic. if uruk is not configured for ipv4 and not for ipv6, it should do nothing (as it currently does). fix bugs: querybts --mbox 705687 >debian-bug-705687.mbox doc/debian-bug-704807.mbox doc/debian-bug-705687.mbox doc/debian-bug-720306.mbox joostvb@arrr:ding% mailx -f ./doc/debian-bug-720306.mbox then give 'v' or 'p' or ~v or ~p #704807 [n|+u| ] [uruk] uruk: autodetect non-routable nets #720306 [n| | ] [uruk] uruk: incorrectly blocks and logs tcp RSET packets чет 20 11:06 < joostvb> Fruit: heb alleen https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720306 nog, geloof ik чет 20 11:07 < joostvb> Fruit: ik weet niet hoe ik doe moet fixen, en ook niet of die bug er eigenlijk nog wel in zit.... чет 20 11:11 < Fruit> gewoon die RST-dingen niet loggen ofzo чет 20 11:20 < Fruit> ik zie ze iig nog steeds чет 20 14:47 < joostvb> niet loggen voelt niet goed чет 20 14:55 < Fruit> hoger loglevel dan? чет 20 14:55 < Fruit> zodat je ze kunt loggen als je da per se wil чет 20 14:55 < Fruit> net als broadcastcrap чет 20 15:22 < joostvb> broadcastcrap krijg je nu ook automagisch in je logs чет 20 15:22 < joostvb> das ook n bug dan чет 20 15:22 * joostvb noteert t --------------- #705687 [w| | ] [uruk] Provide "uruk diff" showing diff between running and config From: Thijs Kinkhorst Subject: Provide "uruk diff" showing diff between running and config Please provide an "uruk diff". When uruk config has been changed, this will output the difference between the currently installed firewall rules and the result of the config that would be installed when force-reload is used. This can be used to check whether any applied changes indeed have the desired effect, and just the desired effect. -------------- use new iptables: niet iptables-legacy maar nft/nftables see also Debian Bug #925297 "migrate from iptables and ip6tables to nftables" ---- пон 16 16:04 < joostvb> http://mdcc.cx/tmp/uruk/uruk_20130913-1_all.deb <- klaar voor testen пон 16 16:20 < thijs> joostvb: update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults пон 16 16:21 < thijs> sid пон 16 16:22 < Fruit> ja logisch, gaat via dependencies nu toch пон 16 16:23 < joostvb> thijs: sysv-rc 2.88dsf-43 zie ik, zo zo en zie ook insserv package пон 16 16:24 < joostvb> thijs: maar t werkt verder wel, als je die warnign laat voor wat ie is? пон 16 16:24 < thijs> inderdaad, hij valt terug naar de defaults пон 16 16:25 < joostvb> ok, tnx voor testen See insserv(8) for lsb header descriptions likely removing # Default-Start: S # Default-Stop: 0 1 6 will fix that ------ lintian complains init.d-script-does-not-source-init-functions . Either change /etc/init.d/uruk's . $lsb_init_functions in . /lib/lsb/init-functions , add lintian override or fix /usr/share/lintian/checks/systemd.pm as shipped with lintian 2.5.17 ---------- stick in documentation somewhere: уто 03 09:24 < joostvb> hrm, "conntrack_max = (ram/16384) / (arch/32)" уто 03 09:24 < joostvb> waarom is dat? уто 03 09:24 < joostvb> omdat linus t zo wil? уто 03 09:39 < joostvb> t zou wel mooi zijn als t nog te overrulen is +Sep 2 14:04:21 tsingou kernel: [3459743.665364] nf_conntrack: table full, dropping packet. +root@tsingou:~# cat /proc/sys/net/nf_conntrack_maxnntrack_max +65536 +root@tsingou:~# wc -l /proc/net/ip_conntrack +63453 /proc/net/ip_conntrack +dus aardig vol ja +maar conntrack_max = (ram/16384) / (arch/32) = 64336 dus verhogen heeft geen zin. уто 03 09:54 < Fruit> joostvb: je kunt het overrulen уто 03 09:56 < casper> joostvb: afaik heb ik die formule op tory gebruikt уто 03 09:56 < casper> om uit te rekenen hoe hoog ik conntrack_max kon zetten уто 03 09:57 < casper> ik geloof niet dat het de default is -------- urukctl: document how to set up file access permissions in order to be able to run "urukctl create active" as non-root user. ------ Als lokale ip ongespecifeerd is, check verkeer dan niet op destination ip, maar alleen op source, port, etc. Handig bij dhcp en dynamische ipv6. Tnx Wessel voor idee. Bv. als ip_eth0_failover='', dan daar niet op checken. ------------------------------------------------------------------- kijk in /sys om netwerkinterfaces te vinden. via ip(1): is niet-standaard op red hat. mogelijk fijn voor niet-debian/niet-rh; bv. gentoo oid. ------- git should do "write to tempfile; fsync(); rename" when updating HEAD ref. due to powerfailure my HEAD ref file was empty. occured with git 1:1.7.10.4-1+wheezy1 ------ metagross# chmod a+x /tmp/urukctl metagross# /tmp/urukctl start Flushing all current iptables rules. Loading IPv4 uruk rules. Saving iptables ruleset: save "active" with counters. Flushing all current ip6tables rules. Loading IPv6 uruk rulesip6tables: Protocol wrong type for socket. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.14: host/network `' not found Try `ip6tables -h' or 'ip6tables --help' for more information. . Saving ip6tables ruleset: save "active" with counters. metagross# ------------ - fix copyright in .azm: use template. - The revised uruk init script now exits succesfully when the uruk program is not installed, like any init script on Debian systems. FIXME Red Hat? ------------- FIXME: this is probably / partially fixed (as of < 2013-09) : plan: hernoem dit script naar uruk-ctl, schrijf nieuw sane init-script dat wel een configfile is, en dan is dit oude script geen debian config file meer. wo 22 10:51 < joostvb> Fruit: log_failure_msg "Aborting uruk initd: missing executable $i" wo 22 10:52 < Fruit> service uruk start wo 22 10:52 < Fruit> exit 0 wo 22 10:52 < joostvb> exit 5 wo 22 10:52 < joostvb> das fout? wo 22 10:52 < Fruit> root@fry:~# facedin wo 22 10:52 < Fruit> service uruk force-reload exited with status 5 wo 22 10:53 < Fruit> snmpd:test -x /usr/sbin/snmpd || exit 0 als je n /e/d/uruk hebt met enable-ipv6 call, en je doet dpkg --remove uruk: wo 22 16:40 /etc/init.d/uruk: 17: /etc/default/uruk: enable-ipv6: not found en als je n /e/d/uruk hebt zionder enable-ipv6 call: wo 22 16:41 root@bender:~# facedin wo 22 16:41 service uruk force-reload exited with status 5 ------------- init/enable-ipv6 doc/default : currently enable_ipv6=false means: do not call ip6tables. it should mean: block all ipv6 traffic. see NEWS. vr 22 10:16 <@Fruit> joostvb: als IPv6 disabled is in uruk, misschien gewoon alle IPv6-verkeer blokkeren? vr 22 10:17 <@Fruit> alle tables wissen en de policy op DROP zetten? vr 22 10:17 <@Fruit> ik kan wel ff een mooie autistische ruleset in elkaar zetten vr 22 10:22 < joostvb> ja, graag zo'n autistische ruleset voor ipv6 Date: Fri, 22 Mar 2013 11:00:13 +0100 From: Wessel Dankers To: Joost Subject: autistische IPv6-rulebase Message-ID: <20130322100013.GN2849@homsar.uvt.nl> Om te voeren aan ip6tables-restore: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] COMMIT *raw :PREROUTING DROP [0:0] :OUTPUT DROP [0:0] COMMIT *mangle :PREROUTING DROP [0:0] :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :POSTROUTING DROP [0:0] COMMIT Zonder ip6tables-restore: ip6tables -F ip6tables -t raw -F ip6tables -t mangle -F ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP ip6tables -t raw -P PREROUTING DROP ip6tables -t raw -P OUTPUT DROP ip6tables -t mangle -P PREROUTING DROP ip6tables -t mangle -P INPUT DROP ip6tables -t mangle -P FORWARD DROP ip6tables -t mangle -P OUTPUT DROP ip6tables -t mangle -P POSTROUTING DROP Dit gaat er trouwens wel vanuit dat je in uruk de policies op ACCEPT instelt, iets wat sowieso zou moeten gebeuren (anders kun je niet robuust een ruleset laden). ----------- later: reimplement uruk-save in perl, be sure to run it only when /usr is mounted, not in init-script during boot. from group/uruk/etc/uruk/rc-experimental by Wessel Dankers, 2012: ------------------- di 23 15:50 < Fruit> joostvb: Saving iptables ruleset: save "inactive". di 23 15:50 < Fruit> joostvb: dat probeer ik te voorkomen, met enable_autosave=false en enable_save_counters=false di 23 15:51 < Fruit> joostvb: maar dat blijft-ie doen - enable ip-not-yet-known. for roaming users, for fast-chagnging ipv6 adresses,for interfaces for which ip is not yet known. optionally: allow specifying range as local adress. tnx Wessel for reporting issue. - init script *** /var issue 2 init scripts eentje doet deny alles tweede doet stuff alternatief: ifupdown /etc/network/interfaces en vooral /etc/init.d/networking /run is cleared during reboot. we'd prefer to be able to load from saved state during boot. therefore, first block everything. later, when /var etc. are available, run uruk. what to do before halt? *** rh issue /etc/redhat-lsb/lsb_* geleverd door redhat-lsb-4.0-3.el6.x86_64 License GPL, by Lawrence Lim e.a., 2011, for Red Hat, Inc. -------------- - decide: fork this package, get new name, don't bother about migration scenario, use dedicated named chains and tables. - major overhaul: use different chains, optimise behaviour when dealing with ipv6. we deal with private ip ranges in a braindead way; improve that. - test on dijkstra, rolle, bruhat, freitag root@janacopoulos:/tmp# wget http://mdcc.cx/tmp/uruk/uruk_20110602-1_all.deb && dpkg -i uruk_20110602-1_all.deb ------------- - add a full IPv6 example to uruk-rc manpage (we now only have the example rc-file). - 28 14:11 < joostvb> ip6_noroute_ranges='::1/128 ffff:0:0::/96 fc00::/7 fec0::/10 0200::/7 2001:0db8::/32' vr 28 14:14 < Fruit> joostvb: overigens kun je in IPv6 veel beter over *routable* spreken dan unroutable vr 28 14:14 < Fruit> 2000::/3 is gewoon de enige die routeerbaar is, de rest is lokaal vr 28 14:26 < Fruit> 2001:0DB8::/32 has been assigned as a NON-ROUTABLE range to be used for documentation purpose [RFC3849]. vr 28 14:26 < Fruit> daar gaat de mooie 2000::/3 regel :( -------------------------------------------------- - improve flush: Subject: Re: uruk Re: iptables leegflikkeren: lelijk maar robuust Wessel Dankers In-Reply-To: <20110114092236.GA14988@dijkstra.uvt.nl> > Op Fri 14 Jan 2011 om 10:17:10 +0100 schreef Wessel Dankers: > > iptables-save | > > sed -rn 's/^:([A-Z]+) [A-Z]+ \[[0-9]+:[0-9]+\]$/:\1 ACCEPT [0:0]/p; /^(\*|COMMIT$)/p' | > > iptables-restore - gebruik voor net_foo strings als privnet-10 privnet-0 privnet-172 - 29 15:16 < fvos> joostvb: misschien kan het al, maar op de eee wil ik dat het ook kan werken als er per verbinding een ander ip-adres is za 29 15:18 < fvos> checking van de rc-file is er niet, zoals je zelf aangeeft, maar met de xml+xsl-aanvulling van mij kun je de instelling-documenten valideren tegen een xsd en het bestand opdelen in logische bestanden die je met xinclude samenvoegt za 29 19:29 < joostvb> fvos: valideren tegen een xsd: patches welkom :) za 29 19:29 < joostvb> fvos: maar ik denk niet dat ik dat de default ga maken, dat ie dat doet - localhost is 0000:0000:0000:0000:0000:0000:0000:0001 aka Fri 18 10:36 < Fruit> ::1 000:0000:0000:0000:0000:0000:0000:0000/0 is ::/0 s/(^|:)(0+($|:))+/::/ rijen van woorden kun je afkorten tot :: Tnx Wessel http://www.faqs.org/rfcs/rfc3330.html - Suggested by Casper Gielen: enable broadcast/multicast filtering for IPv6 Carefull, this part is very different from IPv4. IPv6 does not support broadcast (at all) while support for multicast is mandatory. Do not block without a proper understanding of what you are blocking. Very likely needs to get implemented in script/uruk.in near "# Don't answer broadcast and multicast packets" ----------------------------------------------------- RSN: write urukconfig : generate uruk rc file based upon currently offered network services. all services will be available for _all_ IPs (or perhaps just local network?) Packages could run this to generate a first rc file. ----------------------------------- - use ip{,6}tables-apply by Martin Krafft: safe testing of new rules on remote host. - get rid of duplicated code in init-script: if test "$found_active" -a "$found_inactive"; then eval found_$rule=1 - dpkg --remove uruk does not remove symlinks in /etc/rcS.d/; init-script fails hard if binary gone. - dpkg --purge uruk does not remove /var/lib/uruk/iptables/active. - "status" is borken in case IPv6 is enabled (found on yosida): root@yosida:~# invoke-rc.d uruk start Saving IPv4 uruk rules as active ruleset. Loading iptables ruleset: load "active". Starting uruk (iptables) Saving IPv6 uruk rules as active ruleset. Loading ip6tables ruleset: load "active". Starting uruk (ip6tables) root@yosida:~# /etc/init.d/uruk status * Checking uruk (iptables): both active and inactive rulesets present, but active ruleset not loaded * Checking uruk (ip6tables): both active and inactive rulesets present, but active ruleset not loaded - "start" when uruk is running flushes and reloads current active ruleset. Should it do this? Or should it rather be a no-op? check lsb. - add a "dump-status" option to init-script: dump details about status, keep tmpfiles. usefull for debugging. - /etc/init.d/uruk flush does not flush nat nor mangle table. This means force-reload breaks when these tables are in use. See comment near initd_flush. Fix this, and accept the introduced cruft. Tnx Wessel. - Phase out support for services_eth0_udp, but enforce ipS_eth0; warn for obsolete syntax ----------------- end of candidates for some upcoming release ------------- ----------------- stuff which just might happen one day ------------------- - improve documentation on usage with non-fixed IPs, refer to /etc/network/if-up.d/uruk. - using names of interfaces in names of variables is dumb. the characters @ : . occur in interface names, but are not allowed in variable names. E.g. eth0.54@eth0 and vif6.0 and eth0:3 - use functions log_daemon_msg log_end_msg log_action_msg in init-script, see e.g. firehol init script - Thu 20 23:13 < fvos> joostvb: ik zou de huidige rc graag gesplitst zien in meerdere losse bestanden, bijvoorbeeld 'networks', 'sources' en zo. Daardoor kunnen de entries in die bestanden ook eenvoudiger namen hebben en is misschien kwaliteitscontrole op missende verwijzingen ook eenvoudiger. Fri 21 05:37 < joostvb> fvos: een syntax-checker zou inderdaad wel handig zijn ja - Phase out support for rc_e - Debian package: S40uruk could better be S41uruk: explicitly start after networking (which is S40networking). - We setup firewall rules only _after_ the network interfaces are configured. This is dumb: we are vulnerable for bugs in the kernel's IP stack. One solution for this: Create an /etc/init.d/uruk-pre script, which is run as early as possible, and _before_ network interfaces are configured. It should disable all networktraffic (except for traffic on loopbackinterface). Only later, networkinterfaces are configured, /etc/init.d/uruk is run and networkservices are started. (N.B.: so even with the current setup we _do_ protect our services). - In uruk-rc manpage, include example rc-file verbatim. - Create "upload" target in /Makefile.am - Improve examples in documentation: joostvb: ik geloof dat ":" een leuke shorthand is voor "alle poorten" - Fix bugs in uruk script: (force-)reload should do something sane when uruk not running. - Check documentation: uruk-rc manpage needs more stuff. - Write a wrapper for OpenBSD's pf and FreeBSD's ipfilter, so that these tools can use the same rc file format. We'd also have to make sure init-script works on non-LSB-systems, then. - Reimplement uruk-save: make it more robust. See http://www.faqs.org/docs/iptables/iptables-save.html for example of file format. Use logic from iptables-save.c. - Think about alternative for uruk-save: create a chain, and enable it once it's fully build by doing just one iptables call. This would allow truly atomical loading of new rulesets. - Is it sane to allow all traffic in default inactive rule? - Check save_counters support in init script. It's likely broken. - Date: Wed, 9 Feb 2005 15:09:16 +0100 Message-ID: <20050209140916.GZ1487@trogdor.uvt.nl> Herken broadcasts (misschien aan destination MAC-adres?) en log ze niet. . alternative implementation: near code-snippet: # supporting this for multiple-ips would need multiple chains # or, perhaps, some iptables extension. This log-spamming happens only in multiple-ip-per-nic mode. Do DROP stuff just before log, would that work? (No, we really can't do something like "--dest !(ip1 or ip2 or ip3)".) . yet to implement: loglevel "high". Document multiple ip per nic logspamming bug. # this file maintained at http://git.mdcc.cx/uruk.git