Tom Eastep | 25 Jul 21:38 2014
Picon

Shorewall 4.6.2.2

Version 4.6.2.2 is now available for download.

Problems Corrected:

1)  The compiler now correctly detects the IPv6 "Header Match"
    capability when LOAD_MODULES_ONLY=No.

2)  The compiler now correctly detects the IPv6 "Ipset Match"
    capability on systems running a 3.14 or later kernel.

3)  The compiler now correctly detects "Arptables JF" capability when
    LOAD_MODULES_ONLY=No.

3)  The tcfilter manpages previously failed to mention that
    BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files.

Thank you for using Shorewall.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
(Continue reading)

Juan Pablo Sandoval Rivera | 25 Jul 05:28 2014
Picon

internet access from win7 (openvpn) through server (openvpn + shorewall)?

Good day list

I have the NEXT case, and one for win7 connecting openvpn and can access the intranet (- redirect gatewey def1), I can access internal resources machine.
Peroal do this win7 machine stops sailing, as I set to navigate using shorewall? get out to the internet using the remote dns server (where the shorewall and openvpnserver)
Without making any kind of modification to the routing on win7

Thank you


--
TRAIning and Support in unIx/linuX
Attachment (configs.tgz): application/x-gzip, 35 KiB
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Raimonds Cicans | 25 Jul 01:18 2014
Picon

DNAT FTP from non standard port to standard port & passive FTP connections

Hello.

Short version: should rule like below work with passive FTP connections 
(from Shorewall / nf_conntrack_ftp point of view)?
DNAT    inet    dmz:somehost:21    tcp    someport

Long version:

First I want to apologize for not posting all required data.
This data contains sensitive information.
So I will try to describe situation as mush as possible.

shorewall version: 4.5.18
kernel version: 3.12.21
/etc/modprobe.d/ftp.conf: options nf_conntrack_ftp ports=21,24354
/sys/module/nf_conntrack_ftp/parameters/ports: 21,24354
/etc/shorewall/policy: inet    all    DROP    info
/etc/shorewall/rules: DNAT    inet    dmz:somehost:21    tcp 24354

Problem: command connections go to FTP server flawlessly but data 
connections get dropped by Shorewall

Previous administrator sad it worked some time ago.

I tried to set nf_conntrack_ftp parameter "loose" to 1, but this did not 
help.

When I will get access to FTP server I will try to set its port to 24354

FTP client logs show that server send its internal address as address 
for data connections.

It looks like problem with nf_conntrack_ftp module...

Raimonds Cicans

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Juan Pablo Sandoval Rivera | 23 Jul 15:27 2014
Picon

How to redirect from a tunnel (vpn) to internet by shorewall?

Hi,  I need help

A MSWin7 to connect by Openvp to shoreall but win7 can browse through showarell guide or document that you recommend?
Win7 (openvnp) -> Suse 10 (shorewall, openvpn) -> DNS (through the shorewall)
and connect to Intranet too,

--
TRAIning and Support in unIx/linuX

Thanks
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Alan Barrett | 22 Jul 12:11 2014

tcfilters with +ipset in DEST column

I am trying to use an ipset in the DEST column in the tcfilters file,
like this:

#CLASS  SOURCE  DEST    PROTO   DPORT   SPORT   TOS     LENGTH  PRIO

2:100   0.0.0.0 +fast
2:200   0.0.0.0 +slow

where "fast" and "slow" are ipsets that contain IP addresses that
should get special treatment.  However, I get errors like this:

Compiling /etc/shorewall/tcfilters...
IN===> 2:100    0.0.0.0 +fast
   ERROR: An ipset name (+fast) is not allowed in this context /etc/shorewall/tcfilters (line 16) at
/usr/share/shorewall/Shorewall/Config.pm line 1348.
        Shorewall::Config::fatal_error('An ipset name (+fast) is not allowed in this context') called at
/usr/share/shorewall/Shorewall/IPAddrs.pm line 216
        Shorewall::IPAddrs::validate_4net('+fast', 0) called at
/usr/share/shorewall/Shorewall/IPAddrs.pm line 878
        Shorewall::IPAddrs::validate_net('+fast', 0) called at
/usr/share/shorewall/Shorewall/IPAddrs.pm line 302
        Shorewall::IPAddrs::decompose_net('+fast') called at /usr/share/shorewall/Shorewall/Tc.pm line 2023
        Shorewall::Tc::process_tc_filter1('2:100', 0.0.0.0, '+fast', '-', '-', '-', '-', '-', '-', ...)
called at /usr/share/shorewall/Shorewall/Tc.pm line 2561
        Shorewall::Tc::process_tc_filter() called at /usr/share/shorewall/Shorewall/Tc.pm line 2579
        Shorewall::Tc::process_tcfilters() called at /usr/share/shorewall/Shorewall/Tc.pm line 2752
        Shorewall::Tc::process_traffic_shaping() called at /usr/share/shorewall/Shorewall/Tc.pm line 3003
        Shorewall::Tc::process_tc() called at /usr/share/shorewall/Shorewall/Compiler.pm line 774
        Shorewall::Compiler::compiler('script', '/var/lib/shorewall/.restart', 'directory', '',
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl line 152

--apb (Alan Barrett)

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Alan Barrett | 19 Jul 15:09 2014

detect gateway for dhcp provider

I attempted to use a line like this in /etc/shorewall/providers:

#NAME   NUMBER  MARK    DUPLIC. INTERFACE       GATEWAY OPTIONS
#
ISP1    1       -       -       eth0            detect  track,balance=1

but the "detect" didn't work.  I forget the error message, but you 
don't need that because I found a fix.

I tracked it down to the detect_dynamic_gateway function in 
/usr/share/shorewall/lib.core, which was not handling the
${VARLIB}/dhcp/dhclient.${1}.leases file.

On my system (Debian 7.6 with isc-dhcp-client version 
4.2.2.dfsg.1-5+deb70u6), the file name is dhclient.eth0.leases, 
not dhclient-eth0.lease ("." instead of "-", and plural "leases" 
instead of singular "lease").  Also, the relevant line in the file 
looks like

 option routers 192.0.2.1;

with a trailing semicolon that needs to be removed when the
value is printed.

I attach a patch that should fix this issue.

--apb (Alan Barrett)
--- /usr/share/shorewall/lib.core.orig	2014-07-19 12:50:41.509285154 +0000
+++ /usr/share/shorewall/lib.core	2014-07-19 13:00:11.252206970 +0000
 <at>  <at>  -845,6 +845,7  <at>  <at> 
     local GATEWAYS
     GATEWAYS=
     local gateway
+    local file

     gateway=$(run_findgw_exit $1);

 <at>  <at>  -852,14 +853,21  <at>  <at> 
 	gateway=$( find_peer $($IP addr list $interface ) )
     fi

-    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
+    if [ -z "$gateway" -a -f "${file}" ]; then
+	eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
     fi

-    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2
gateway; do echo $gateway ; return 0; done)
-    fi
+    for file in \
+	"${VARLIB}/dhcp/dhclient-${1}.lease" \
+	"${VARLIB}/dhcp/dhclient.${1}.leases"
+    do
+	[ -n "$gateway" ] && break
+	if [ -f "${file}" ]; then
+	    gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo
"${gateway%\;}" ; return 0; done)
+	fi
+    done

     [ -n "$gateway" ] && echo $gateway
 }
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Michael Roth | 19 Jul 01:10 2014
Picon

broadcasts in IPv6?

Hello,

I came across a problem using shorewall6 version 4.5.21.6.  I think it 
all boils down to "there are no broadcast addresses in IPv6".

For demonstration purpose, network interface (dummy device, just for 
describing the problem) is configured like:

    eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state 
UNKNOWN group default
     link/ether 16:ac:09:2b:bc:42 brd ff:ff:ff:ff:ff:ff
     inet6 2001:db8::/64 scope global
        valid_lft forever preferred_lft forever
     inet6 fe80::14ac:9ff:fe2b:bc42/64 scope link
        valid_lft forever preferred_lft forever

The assigned address is 2001:db8::/64 which is a perfectly legal IPv6 
address for an link.  It is nothing special compared to 2001:db8::1/64.

Trivial shorewall6 configuration:

zones:
###############################################################################
   #ZONE   TYPE            OPTIONS         IN OUT
   #                                       OPTIONS OPTIONS
   fw      firewall
   net     ipv6

interfaces:
###############################################################################
   #ZONE           INTERFACE               OPTIONS
   net             eth1

policy:
###############################################################################
   #SOURCE DEST    POLICY          LOG     LIMIT: CONNLIMIT:
   #                               LEVEL   BURST           MASK
   fw      net     ACCEPT
   net     fw      REJECT          info
   all     all     REJECT          info

Excerpt of created ip6tables rules:

   Chain Broadcast (1 references)
    pkts bytes target     prot opt in     out source               
destination
       0     0 DROP       all      *      * ::/0                 2001:db8::
       0     0 DROP       all      *      * ::/0                 
2001:db8::ffff:ffff:ff80/121
       0     0 DROP       all      *      * ::/0                 ff00::/8

First rule is wrong because 2001:db8:: is our address on the link which 
is not a broadcast address nor is in any case special. Second rule looks 
totally crude to me and I don't understand the purpose.   Third rule is 
multicast.  Don't know how shorewall6 is designed to handle this because 
it includes anycast addresses too.  (These rules are repeated in the 
"reject" chain.)

This issue results in the error that packets which should be rejected 
and logged as stated in the policy file gets simply dropped without logging.

Of course, if you change the address of the interface to 2001:db8::1/64 
all seems to work ok, but the wrong rules are still present. Maybe the 
whole idea of broadcasts should be dropped in shorewall6?

Michael Roth

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Thomas D. | 19 Jul 00:50 2014
Picon

"ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables" with 3.14.13 kernel

Hi,

strange problem:

All I did was upgrading a box from linux-3.10.49 to linux-3.14.13 kernel.

But with 3.14.13, shorewall6 doesn't start:

> # shorewall6 safe-restart
> Compiling...
> Processing /etc/shorewall6/params ...
> Processing /etc/shorewall6/shorewall6.conf...
> Loading Modules...
> Compiling /etc/shorewall6/zones...
> Compiling /etc/shorewall6/interfaces...
> Determining Hosts in Zones...
> Locating Action Files...
> Compiling /etc/shorewall6/policy...
> Compiling TCP Flags filtering...
> Compiling MAC Filtration -- Phase 1...
> Compiling /etc/shorewall6/blrules...
>    ERROR: ipset names in Shorewall configuration files require Ipset Match in your kernel and iptables
/etc/shorewall6/blrules (line 12)

That's funny because shorewall (the ipv4 version) on the same system
works! And the blrules file is 100% identical:

BLACKLIST	net:+blacklist		$FW

> # ipset list blacklist
> Name: blacklist
> Type: list:set
> Revision: 2
> Header: size 8
> Size in memory: 112
> References: 1
> Members:
> blacklist4
> blacklist6

If I reboot into 3.10.49 shorewall6 works again.

shorewall6 show -f capabilities between 3.10.49 and 3.14.13 doesn't show
a different:

> --- /root/capas-3.10.49.txt	2014-07-19 00:26:36.176612168 +0200
> +++ /root/capas-3.14.13.txt	2014-07-19 00:34:30.775595947 +0200
>  <at>  <at>  -1,5 +1,5  <at>  <at> 
>  #
> -# Shorewall6 4.5.21.10 detected the following iptables/netfilter capabilities - Sat Jul 19 00:26:36
CEST 2014
> +# Shorewall6 4.5.21.10 detected the following iptables/netfilter capabilities - Sat Jul 19 00:34:30
CEST 2014
>  #
>  ACCOUNT_TARGET=
>  ADDRTYPE=
>  <at>  <at>  -41,7 +41,7  <at>  <at> 
>  IPTABLES_S=Yes
>  IRC0_HELPER=
>  IRC_HELPER=
> -KERNELVERSION=31049
> +KERNELVERSION=31413
>  KLUDGEFREE=Yes
>  LENGTH_MATCH=Yes
>  LOGMARK_TARGET=

> # grep -i ipset ~/capas-3.14.13.txt 
> IPSET_MATCH=Yes
> IPSET_V5=Yes
> OLD_IPSET_MATCH=

Versions:

- Shorewall6 4.5.21.10
- ipset v6.21.1
- iptables v1.4.21

3.14.13 kernel cfg: http://bpaste.net/show/476344/

As said, it is the same config like I am using with 3.10.49... only with
"make oldconfig"...

I really don't understand what's going on because I have other boxes
where I did the same without any problems.

Any hints/ideas?

-Thomas

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Tom Eastep | 18 Jul 21:41 2014
Picon

Shorewall 4.6.2.1

The Shorewall Team is pleased to announce that version 4.6.2.1 is now
available for download.  Version 4.6.2 was uploaded yesterday; this
morning, however, a couple of issues affecting all 4.6 versions
surfaced, thus prompting the release of 4.6.2.1.

Problems Corrected:

4.6.2.1

1)  Two issues with tcrules processing have been corrected:

    - SAVE and RESTORE generated fatal compilation errors.
    - '|' and '&' were ignored. That issue is also present in the
      processing of the mangle file

4.6.2

1)  The DSCP match in the mangle and tcrules files didn't work with
    service class names such as EF, BE, CS1, ... (Thibaut Chèze)

2)  The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
    tcrules and mangle; this was a regression from 4.5.21.

3)  Additional ports required by Asus, Supermicro and Dell have been
    added to the IPMI macro (Tuomo Soini).

4)  Some issues regarding install under Cygwin64 have been addressed.

    - configure.pl did not understand CYGWIN returned from `uname`
    - Shorewall-core install.sh did not understand CYGWIN returned from
      `uname`.
    - The Shorewall and Shorewall6 installers tried to run the command
      'mkdir -p //etc/shorewall[6]' which is broken in the current
      Cygwin64.

New Features:

1)  The 'status' command now allows a -i option which causes the state
    of all optional and provider interfaces to be displayed.

    Example:

    root <at> gateway:/etc/shorewall# shorewall status -i
    Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014

    Shorewall is running
    State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/
       (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1)

       Interface eth0 is Enabled
       Interface eth1 is Enabled
       Interface lo is Enabled

2)  A 'shorewall show blacklists' command has been
    implemented. The abbreviation 'bl' may be used in place of
    'blacklists'.

    The command displays the output of the 'dynamic' chain together
    with the chains created by entries in the blrules file.

3)  A TIME column has been added to the mangle file. It has the same
    use in that file as the corresponding column in the rules file.

4)  A stateful port knocking example has been added to the Events
    article (http://www.shorewall.net/Events.html). This example allows
    a sequence of knocking ports to be defined (Gerhard Weisinger).

5)  A macro supporting HP's Integrated Lights Out (ILO) has been added
    (Tuomo Soini).

6)  It is now possible to specify the MAC address of a provider
    GATEWAY. This is useful when there are multiple providers serviced
    by a single interface as it avoids the need for the generated
    script to detect the MAC during start/restart.

7)  The copyrights in the sample configuration files have been updated.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Alan Barrett | 18 Jul 11:03 2014

tcrules "|" and "&" marks

I have shorewall 4.6.1.2 (Debian package version 4.6.1.2-1).

I am trying to set mark with "|" and "&" in the tcrules file, and 
it doesn't work.

The relevant lines in tcrules look ilke this:

# "OR" 0x40 into flags for packets to or from address 10.1.2.3,
# provided the connection mark is zero.
|0x40:P         10.1.2.3        0.0.0.0/0       -       { test=0:C }
|0x40:T         0.0.0.0/0       10.1.2.3        -       { test=0:C }

The relevant lines in the output from /sbin/shorewall trace safe-restart
look like this:

Compiling /etc/shorewall/tcrules...
IN===> |0x40:P          10.1.2.3        0.0.0.0/0       -       { test=0:C }
                NF-(A)-> mangle:tcpre:1         -A tcpre -s 10.1.2.3 -m connmark --mark 0/0xff  -j MARK --set-mark 0x40
IN===> |0x40:T          0.0.0.0/0       10.1.2.3        -       { test=0:C }
                NF-(A)-> mangle:tcpost:1        -A tcpost -d 10.1.2.3 -m connmark --mark 0/0xff  -j MARK --set-mark 0x40
   WARNING: Non-empty tcrules file (/etc/shorewall/tcrules); consider running 'shorewall update -t' at
/usr/share/shorewall/Shorewall/Tc.pm line 3191.
        Shorewall::Tc::setup_tc(0) called at /usr/share/shorewall/Shorewall/Compiler.pm line 796
        Shorewall::Compiler::compiler('script', '/var/lib/shorewall/.restart', 'directory', '',
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl line 152

See it using "--set-mark" instead of "--or-mark".  Also, the 
message suggests that the tcrules file is deprecated, but the 
shorewall-tcrules man page does not appear to say it's deprecated.

I think this is a bug, and line 560 of Shorewall/Tc.pm look 
suspicious:

	handle_mark_param('--set-mark' , , HIGHMARK );

handle_mark_param seems to expect the first argument to be false 
in the case that AND and OR handling is desired.

--apb (Alan Barrett)

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Alan Barrett | 18 Jul 10:34 2014

tcrules SAVE and RESTORE with mask

I have shorewall 4.6.1.2 (Debian package version 4.6.1.2-1).

I am trying to use SAVE and RESTORE actions in the tcrules file, 
with a non-default mask, and it doesn't work.  Here are the last 
few lines of output from /sbin/shorewall trace check:

Checking /etc/shorewall/tcrules...
IN===> SAVE(0x7f):T             0.0.0.0/0       0.0.0.0/0       all
   ERROR: Invalid SAVE ACTION (SAVE(0x7f):T) /etc/shorewall/tcrules (line 109) at
/usr/share/shorewall/Shorewall/Config.pm line 1348.
        Shorewall::Config::fatal_error('Invalid SAVE ACTION (SAVE(0x7f):T)') called at
/usr/share/shorewall/Shorewall/Tc.pm line 943
        Shorewall::Tc::process_tc_rule1('SAVE(0x7f):T', '0.0.0.0/0', '0.0.0.0/0', 'all', '-', '-', '-',
'-', '-', ...) called at /usr/share/shorewall/Shorewall/Tc.pm line 1045
        Shorewall::Tc::process_tc_rule() called at /usr/share/shorewall/Shorewall/Tc.pm line 3180
        Shorewall::Tc::setup_tc(0) called at /usr/share/shorewall/Shorewall/Compiler.pm line 796
        Shorewall::Compiler::compiler('script', '', 'directory', '', 'verbosity', 1, 'timestamp', 0,
'debug', ...) called at /usr/share/shorewall/compiler.pl line 152

The documentation in the shorewall-tcrules and shorewall-mangle man
pages was inconsistent, with one suggesting that I needed

	SAVE[/mask]

and one suggesting

	SAVE[(/mask)]

Anyway, I tried all 8 possible combinations of with and without
parentheses, with and without slash, with and without :T.  Nothing
worked.

Am I doing something wrong, or is this a bug?  If it's a bug, my 
first suspect would be the "match" subs in the value of %tccmd 
assigned at line 853 of Shorewall/Tc.pm.

--apb (Alan Barrett)

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

Gmane