File: TODO

package info (click to toggle)
uruk 20190121-1
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid
  • size: 1,188 kB
  • sloc: sh: 1,852; makefile: 151; xml: 51
file content (728 lines) | stat: -rw-r--r-- 25,639 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
jessie heeft init.d networking
stretch heeft networking.service

uruk 20180528 is alleen op jessie stuk

patch incoming!

----


уто 04 14:17 < Fruit> en GOED TESTEN

----

deal with https://bugs.debian.org/704807 "autodetect non-routable nets". see also
uruk-pkg/autodetect-nonroutable.diff

----

FIXME: stop dit in documentatie:

Date: Wed, 9 Mar 2016 11:10:41 +0100
From: Casper Gielen
Subject: Uruk met VLANs op Debian
Message-ID: <56DFF6A1.8000203@uvt.nl>

voor de Uruk Knowledge Base:

Uruk met VLANS op Debian
========================
1. Installeer het debian pakket "vlan";
2. gebruik  "vlan<num>" in /etc/network/interfaces en /etc/uruk/*;
3. voeg een "vlan-raw-device" statement toe aan /etc/network/interfaces.


Toelichting
===========
Uruk is niet compatible met de standaard Linux/Debian VLAN-benaming
omdat er een puntje in de naam zit en dat mag niet in een Bash-variable.

De simpele oplossing is om een naam te nemen zonder puntje maar
/etc/network/interfaces eist tegenwoordig juist dat er een puntje in de
naam zit. Het alternatief is om het oude systeem te gebruiken zoals
aangeboden door het 'vlan' package.


Examples
========
===/etc/network/interfaces===
# vlan95 = XM
auto vlan95
iface vlan95 inet static
        address 137.56.126.123
        netmask 255.255.255.0
        gateway 137.56.126.1
        vlan-raw-device eth0

===/etc/uruk/rc===
interfaces='vlan95'
ip_vlan95='137.56.126.1234'
ip6_vlan95='3001::1:2:3:4'
services_vlan95_tcp="ssh http"
...


----

- init/{uruk.service,Makefile.am}: ship and install 
  /lib/systemd/system/uruk.service.  FIXME probably doesn't work!!
  init/uruk.service : incomplete

----

fix in RPM: #796700 - uruk: Has init script in runlevel S but no matching service file
Thanks fsateler@debian.org

----

do not ship rpm package until this is fixed:

root@v:~# rpm -q --list iptables-ipv6 | grep lib
/lib64/iptables/libip6t_CONNMARK.so
/lib64/iptables/libip6t_DSCP.so
/lib64/iptables/libip6t_HL.so
/lib64/iptables/libip6t_LOG.so
/lib64/iptables/libip6t_MARK.so
/lib64/iptables/libip6t_NFQUEUE.so
/lib64/iptables/libip6t_REJECT.so
/lib64/iptables/libip6t_TRACE.so
/lib64/iptables/libip6t_ah.so
/lib64/iptables/libip6t_connmark.so
/lib64/iptables/libip6t_dscp.so
/lib64/iptables/libip6t_dst.so
/lib64/iptables/libip6t_eui64.so
/lib64/iptables/libip6t_frag.so
/lib64/iptables/libip6t_hbh.so
/lib64/iptables/libip6t_hl.so
/lib64/iptables/libip6t_icmpv6.so
/lib64/iptables/libip6t_ipv6header.so
/lib64/iptables/libip6t_length.so
/lib64/iptables/libip6t_limit.so
/lib64/iptables/libip6t_mac.so
/lib64/iptables/libip6t_mark.so
/lib64/iptables/libip6t_multiport.so
/lib64/iptables/libip6t_owner.so
/lib64/iptables/libip6t_physdev.so
/lib64/iptables/libip6t_policy.so
/lib64/iptables/libip6t_rt.so
/lib64/iptables/libip6t_standard.so
/lib64/iptables/libip6t_state.so
/lib64/iptables/libip6t_tcp.so
/lib64/iptables/libip6t_udp.so

root@v:~# service uruk force-reload
Checking uruk (iptables): active uruk rules loaded
Checking uruk (ip6tables): active uruk rules loaded
Flushing all current iptables rules.
Loading IPv4 uruk rules.
Saving iptables ruleset: save "active" with counters.
Flushing all current ip6tables rules.
Loading IPv6 uruk rulesip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.3.5: Couldn't load match `conntrack':/lib64/iptables/libip6t_conntrack.so: cannot open shared object file: No such file or directory

root@v:~# rpm -q iptables-ipv6
iptables-ipv6-1.3.5-9.2.el5_8

Description:    Red Hat Enterprise Linux Server release 5.11 (Tikanga)

not supported by kernel?  users of these system should explicitly disable
IPv6 support in uruk?

----------

do not ship debian package until this is fixed:

init script is buggy:
- force-reload does not behave according to specs
- reload should be supported

(
restart
    stop and restart the service if it's already running, otherwise start the
    service

reload
    cause the configuration of the service to be reloaded without actually
    stopping and restarting the service,

force-reload
    cause the configuration to be reloaded if the service supports this,
    otherwise restart the service.

The start, stop, restart, and force-reload options should be supported by all
scripts in /etc/init.d, the reload option is optional.

чет 02 10:16 < casper> https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.3.2
)

one possible solution: enforce running uruk in uruk_save-mode; no longer
support setups having enable_uruk_save=false. reload and force-reload should
act the same

------

Wessel fixt dit:
пон 30 11:34 < joostvb_thuis> we weten nog niet of r n uruk-bug is, wel?
пон 30 11:34 < joostvb_thuis> met dat gedoe met uruk is not running
пон 30 11:34 < Fruit> volgens mij is het een transitieprobleem
пон 30 11:35 < Fruit> maar dat weet ik niet 100% zeker
пон 30 11:35 < joostvb_thuis> en dus niet 100% zeker of dat transitieprobleem in 
                              uruk zit
пон 30 11:35 < joostvb_thuis> of in de debian packaging
пон 30 11:35 < joostvb_thuis> of in onze zut
пон 30 11:35 < Fruit> combi
пон 30 11:36 < Fruit> mijn hypothese is dat als je overschakelt naar uruk_save en er 
                      draaide al een uruk, dat-ie dat dan niet doorheeft
пон 30 11:36 < joostvb_thuis> klinkt best aannemelijk
пон 30 11:36 < Fruit> want hij is gestart zonder uruk_save
пон 30 11:36 < Fruit> dus geen save-file aangemaakt
пон 30 11:36  * joostvb_thuis gaat t tot de bodem uitzoeken

пон 30 11:37 < Fruit> ik heb wel de nieuwe uruk draaien op pichu
пон 30 11:37 < Fruit> fwiw
пон 30 11:37 < joostvb_thuis> die .deb prerelease?
пон 30 11:37 < Fruit> ja

==========================

somewhat less urgent issues

----

пон 30 11:38 < Fruit> ik heb trouwens opeens een file /etc/uruk/extra.d/version
пон 30 11:39 < Fruit> terwijl ik me niet kan herinneren die ooit aangemaakt te hebben
пон 30 11:39 < Fruit> er zit een datum in de toekomst in
пон 30 11:39 < Fruit> version=20160319
пон 30 11:41 < joostvb_thuis> zou n bug in uruk/NEWS kunnen zijn
пон 30 11:41 < joostvb_thuis> dat dat niet gemeld wordt

------

think about systemd (and runit, while we're at it)

ship a systemd (or go with lsb hack firing of systemd stuff via traditional
init script) and a daemontools init thingie

-------

document $uruk_version

------

document this:
сре 20 16:41 < Fruit> joostvb: sctp-support in uruk zou handig zijn
сре 20 16:46 < Fruit> joostvb: misschien ook meteen dccp dan maar
--protocol protocol
   The  protocol of the rule or of the packet to check.  The specified protocol
   can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the  spe‐
   cial  keyword "all", or it can be a numeric value, representing one of these
   protocols or a different one.  A protocol name from /etc/protocols  is  also
   allowed.   A  "!" argument before the protocol inverts the test.  The number
   zero is equivalent to all. "all" will match with all protocols and is  taken
   as  default  when  this  option  is  omitted.  Note that, in ip6tables, IPv6
   extension headers except esp are not allowed.  esp and  ipv6-nonext  can  be
   used  with Kernel version 2.6.11 or later.
in script/uruk, see "for proto in tcp udp" and "--tcp-flags"
see also iptables-extensions(8)
-        for proto in tcp udp
+        for proto in dccp sctp tcp udp
sctp: find out about --chunk-types (vs --tcp-flags in tcp-case)

---------------

phase out sources6 in uruk?  is there still a use-case?

-----

if uruk is configured for ipv4, but not for ipv6, it should block all ipv6 traffic.
if uruk is configured for ipv6, but not for ipv4, it should block all ipv4 traffic.
if uruk is not configured for ipv4 and not for ipv6, it should do nothing (as it currently does).

fix bugs:

querybts --mbox 705687 >debian-bug-705687.mbox
doc/debian-bug-704807.mbox  doc/debian-bug-705687.mbox  doc/debian-bug-720306.mbox
joostvb@arrr:ding% mailx -f ./doc/debian-bug-720306.mbox
then give 'v' or 'p' or ~v or ~p
    #704807 [n|+u|  ] [uruk] uruk: autodetect non-routable nets
    #720306 [n|  |  ] [uruk] uruk: incorrectly blocks and logs tcp RSET packets

чет 20 11:06 < joostvb> Fruit: heb alleen https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720306 nog, 
                        geloof ik
чет 20 11:07 < joostvb> Fruit: ik weet niet hoe ik doe moet fixen, en ook niet of die bug er eigenlijk nog 
                        wel in zit....
чет 20 11:11 < Fruit> gewoon die RST-dingen niet loggen ofzo
чет 20 11:20 < Fruit> ik zie ze iig nog steeds
чет 20 14:47 < joostvb> niet loggen voelt niet goed
чет 20 14:55 < Fruit> hoger loglevel dan?
чет 20 14:55 < Fruit> zodat je ze kunt loggen als je da per se wil
чет 20 14:55 < Fruit> net als broadcastcrap
чет 20 15:22 < joostvb> broadcastcrap krijg je nu ook automagisch in je logs
чет 20 15:22 < joostvb> das ook n bug dan
чет 20 15:22  * joostvb noteert t

---------------

    #705687 [w|  |  ] [uruk] Provide "uruk diff" showing diff between running and config

From: Thijs Kinkhorst
Subject: Provide "uruk diff" showing diff between running and config

Please provide an "uruk diff". When uruk config has been changed, this will
output the difference between the currently installed firewall rules and
the result of the config that would be installed when force-reload is used.
This can be used to check whether any applied changes indeed have the
desired effect, and just the desired effect.

--------------

support for iptables-opvolger: niet netfilter maar ....

----

пон 16 16:04 < joostvb> http://mdcc.cx/tmp/uruk/uruk_20130913-1_all.deb <- klaar voor testen
пон 16 16:20 < thijs> joostvb: update-rc.d: warning: start and stop actions are no longer 
                      supported; falling back to defaults
пон 16 16:21 < thijs> sid
пон 16 16:22 < Fruit> ja logisch, gaat via dependencies nu toch
пон 16 16:23 < joostvb> thijs: sysv-rc 2.88dsf-43 zie ik, zo zo
en zie ook insserv package
пон 16 16:24 < joostvb> thijs: maar t werkt verder wel, als je die warnign laat voor wat ie 
                        is?
пон 16 16:24 < thijs> inderdaad, hij valt terug naar de defaults
пон 16 16:25 < joostvb> ok, tnx voor testen

See insserv(8) for lsb header descriptions

likely removing
# Default-Start:     S
# Default-Stop:      0 1 6
will fix that

------

lintian complains init.d-script-does-not-source-init-functions .
Either change /etc/init.d/uruk's

  . $lsb_init_functions

in

. /lib/lsb/init-functions

, add lintian override or fix /usr/share/lintian/checks/systemd.pm as shipped
with lintian 2.5.17

----------

stick in documentation somewhere:

уто 03 09:24 < joostvb> hrm, "conntrack_max = (ram/16384) / (arch/32)"
уто 03 09:24 < joostvb> waarom is dat?
уто 03 09:24 < joostvb> omdat linus t zo wil?
уто 03 09:39 < joostvb> t zou wel mooi zijn als t nog te overrulen is

+Sep  2 14:04:21 tsingou kernel: [3459743.665364] nf_conntrack: table full, dropping packet.
+root@tsingou:~# cat /proc/sys/net/nf_conntrack_maxnntrack_max
+65536
+root@tsingou:~# wc -l /proc/net/ip_conntrack
+63453 /proc/net/ip_conntrack
+dus aardig vol ja
+maar conntrack_max = (ram/16384) / (arch/32) = 64336 dus verhogen heeft geen zin.

уто 03 09:54 < Fruit> joostvb: je kunt het overrulen
уто 03 09:56 < casper> joostvb: afaik heb ik die formule op tory gebruikt
уто 03 09:56 < casper> om uit te rekenen hoe hoog ik conntrack_max kon zetten
уто 03 09:57 < casper> ik geloof niet dat het de default is

--------

urukctl: document how to set up file access permissions in order to be able to
run "urukctl create active" as non-root user.

------

Als lokale ip ongespecifeerd is, check verkeer dan niet op destination
ip, maar alleen op source, port, etc.  Handig bij dhcp en dynamische
ipv6.  Tnx Wessel voor idee.
Bv. als ip_eth0_failover='', dan daar niet op checken.

-------------------------------------------------------------------

kijk in /sys om netwerkinterfaces te vinden.  via ip(1): is niet-standaard
op red hat.  mogelijk fijn voor niet-debian/niet-rh; bv. gentoo oid.

-------

git should do "write to tempfile;  fsync(); rename" when updating HEAD ref.
due to powerfailure my HEAD ref file was empty.  occured with
git 1:1.7.10.4-1+wheezy1

------

metagross# chmod a+x /tmp/urukctl 
metagross# /tmp/urukctl start
Flushing all current iptables rules.
Loading IPv4 uruk rules.
Saving iptables ruleset: save "active" with counters.
Flushing all current ip6tables rules.
Loading IPv6 uruk rulesip6tables: Protocol wrong type for socket.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
.
Saving ip6tables ruleset: save "active" with counters.
metagross# 

------------

- fix copyright in .azm: use template.

- The revised uruk init script now exits succesfully when the uruk program
  is not installed, like any init script on Debian systems.  FIXME Red Hat?

-------------

FIXME: this is probably / partially fixed (as of < 2013-09) :

plan: hernoem dit script naar uruk-ctl, schrijf nieuw sane init-script dat
wel een configfile is, en dan is dit oude script geen debian config file meer.

wo 22 10:51 < joostvb> Fruit:       log_failure_msg "Aborting uruk 
                       initd: missing executable $i"
wo 22 10:52 < Fruit> service uruk start
wo 22 10:52 < Fruit> exit 0
wo 22 10:52 < joostvb>       exit 5
wo 22 10:52 < joostvb> das fout?
wo 22 10:52 < Fruit> root@fry:~# facedin
wo 22 10:52 < Fruit> service uruk force-reload exited with status 5
wo 22 10:53 < Fruit> snmpd:test -x /usr/sbin/snmpd || exit 0

als je n /e/d/uruk hebt met enable-ipv6 call, en je doet dpkg --remove uruk:

wo 22 16:40 <Fruit> /etc/init.d/uruk: 17: /etc/default/uruk:
                    enable-ipv6: not found

en als je n /e/d/uruk hebt zionder enable-ipv6 call:
wo 22 16:41 <Fruit> root@bender:~# facedin
wo 22 16:41 <Fruit> service uruk force-reload exited with status 5

-------------

init/enable-ipv6 doc/default : currently enable_ipv6=false means: do not call
ip6tables.  it should mean: block all ipv6 traffic.  see NEWS.

vr 22 10:16 <@Fruit> joostvb: als IPv6 disabled is in uruk, misschien gewoon alle IPv6-verkeer blokkeren?
vr 22 10:17 <@Fruit> alle tables wissen en de policy op DROP zetten?
vr 22 10:17 <@Fruit> ik kan wel ff een mooie autistische ruleset in elkaar zetten
vr 22 10:22 < joostvb> ja, graag zo'n autistische ruleset voor ipv6

<quote>

Date: Fri, 22 Mar 2013 11:00:13 +0100
From: Wessel Dankers
To: Joost
Subject: autistische IPv6-rulebase
Message-ID: <20130322100013.GN2849@homsar.uvt.nl>

Om te voeren aan ip6tables-restore:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

*raw
:PREROUTING DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

*mangle
:PREROUTING DROP [0:0]
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:POSTROUTING DROP [0:0]
COMMIT



Zonder ip6tables-restore:

ip6tables -F
ip6tables -t raw -F
ip6tables -t mangle -F

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

ip6tables -t raw -P PREROUTING DROP
ip6tables -t raw -P OUTPUT DROP

ip6tables -t mangle -P PREROUTING DROP
ip6tables -t mangle -P INPUT DROP
ip6tables -t mangle -P FORWARD DROP
ip6tables -t mangle -P OUTPUT DROP
ip6tables -t mangle -P POSTROUTING DROP

Dit gaat er trouwens wel vanuit dat je in uruk de policies op ACCEPT
instelt, iets wat sowieso zou moeten gebeuren (anders kun je niet robuust
een ruleset laden).

</quote>

-----------

later: reimplement uruk-save in perl, be sure to run it only when /usr is
mounted, not in init-script during boot.

from group/uruk/etc/uruk/rc-experimental by Wessel Dankers, 2012:

-------------------

di 23 15:50 < Fruit> joostvb: Saving iptables ruleset: save "inactive".
di 23 15:50 < Fruit> joostvb: dat probeer ik te voorkomen, met enable_autosave=false en 
                     enable_save_counters=false
di 23 15:51 < Fruit> joostvb: maar dat blijft-ie doen

- enable ip-not-yet-known. for roaming users, for fast-chagnging ipv6 adresses,for
interfaces for which ip is not yet known.  optionally: allow specifying range as
local adress.  tnx Wessel for reporting issue.

- init script

*** /var issue

2 init scripts

eentje doet deny alles
tweede doet stuff

alternatief:

ifupdown /etc/network/interfaces  en vooral /etc/init.d/networking

/run is cleared during reboot.  we'd prefer to be able to load from saved state during
boot.  therefore, first block everything.  later, when /var etc. are available,
run uruk.  what to do before halt?

*** rh issue

/etc/redhat-lsb/lsb_* geleverd door redhat-lsb-4.0-3.el6.x86_64
License GPL, by Lawrence Lim e.a., 2011, for Red Hat, Inc.

--------------

- decide: fork this package, get new name, don't bother about migration scenario,
  use dedicated named chains and tables.

- major overhaul: use different chains, optimise behaviour when dealing with ipv6.
  we deal with private ip ranges in a braindead way; improve that.

- test on dijkstra, rolle, bruhat, freitag
   root@janacopoulos:/tmp# wget http://mdcc.cx/tmp/uruk/uruk_20110602-1_all.deb && dpkg -i uruk_20110602-1_all.deb

-------------

- add a full IPv6 example to uruk-rc manpage (we now only have the example
  rc-file).

-  28 14:11 < joostvb> ip6_noroute_ranges='::1/128 ffff:0:0::/96 fc00::/7 
                       fec0::/10 0200::/7 2001:0db8::/32'
vr 28 14:14 < Fruit> joostvb: overigens kun je in IPv6 veel beter over 
                     *routable* spreken dan unroutable
vr 28 14:14 < Fruit> 2000::/3 is gewoon de enige die routeerbaar is, de rest is 
                     lokaal
vr 28 14:26 < Fruit> 2001:0DB8::/32 has been assigned as a NON-ROUTABLE range 
                     to be used for documentation purpose [RFC3849].
vr 28 14:26 < Fruit> daar gaat de mooie 2000::/3 regel :(


--------------------------------------------------

- improve flush:
Subject: Re: uruk Re: iptables leegflikkeren: lelijk maar robuust Wessel
 Dankers <wsl@uvt.nl>
In-Reply-To: <20110114092236.GA14988@dijkstra.uvt.nl>
> Op Fri 14 Jan 2011 om 10:17:10 +0100 schreef Wessel Dankers:
> > iptables-save |
> >   sed -rn 's/^:([A-Z]+) [A-Z]+ \[[0-9]+:[0-9]+\]$/:\1 ACCEPT [0:0]/p; /^(\*|COMMIT$)/p' |
> >   iptables-restore


- gebruik voor net_foo strings als

privnet-10
privnet-0
privnet-172

-  29 15:16 < fvos> joostvb: misschien kan het al, maar op de eee wil ik dat 
                    het ook kan werken als er per verbinding een ander ip-adres 
                    is
za 29 15:18 < fvos> checking van de rc-file is er niet, zoals je zelf aangeeft, 
                    maar met de xml+xsl-aanvulling van mij kun je de 
                    instelling-documenten valideren tegen een xsd en het 
                    bestand opdelen in logische bestanden die je met xinclude 
                    samenvoegt
za 29 19:29 < joostvb> fvos: valideren tegen een xsd: patches welkom :)
za 29 19:29 < joostvb> fvos: maar ik denk niet dat ik dat de default ga maken, 
                       dat ie dat doet

- localhost is 0000:0000:0000:0000:0000:0000:0000:0001 aka
Fri 18 10:36 < Fruit> ::1
000:0000:0000:0000:0000:0000:0000:0000/0 is ::/0
s/(^|:)(0+($|:))+/::/
rijen van woorden kun je afkorten tot ::
Tnx Wessel
http://www.faqs.org/rfcs/rfc3330.html

- Suggested by Casper Gielen: enable broadcast/multicast filtering for IPv6
 Carefull, this part is very different from IPv4. IPv6 does not support
 broadcast (at all) while support for multicast is mandatory. Do not block
 without a proper understanding of what you are blocking.
 Very likely needs to get implemented in script/uruk.in near "# Don't answer
 broadcast and multicast packets"


-----------------------------------------------------

RSN: write urukconfig : generate uruk rc file based upon currently
offered network services.  all services will be available for _all_ IPs
(or perhaps just local network?)
Packages could run this to generate a first rc file.

-----------------------------------

- use ip{,6}tables-apply by Martin Krafft: safe testing of new rules on remote host.

- get rid of duplicated code in init-script:
      if test "$found_active" -a "$found_inactive"; then
      eval found_$rule=1

- dpkg --remove uruk does not remove symlinks in /etc/rcS.d/; init-script fails hard
  if binary gone.

- dpkg --purge uruk does not remove /var/lib/uruk/iptables/active.

- "status" is borken in case IPv6 is enabled (found on yosida):

root@yosida:~# invoke-rc.d uruk start
Saving IPv4 uruk rules as active ruleset.
Loading iptables ruleset: load "active".
Starting uruk (iptables)
Saving IPv6 uruk rules as active ruleset.
Loading ip6tables ruleset: load "active".
Starting uruk (ip6tables)

root@yosida:~# /etc/init.d/uruk status      
* Checking uruk (iptables): both active and inactive rulesets present, but active ruleset not loaded
* Checking uruk (ip6tables): both active and inactive rulesets present, but active ruleset not loaded

- "start" when uruk is running flushes and reloads current active ruleset.
  Should it do this?  Or should it rather be a no-op? check lsb.

- add a "dump-status" option to init-script: dump details about status, keep
  tmpfiles. usefull for debugging.

- /etc/init.d/uruk flush does not flush nat nor mangle table.  This means
force-reload breaks when these tables are in use.  See comment near initd_flush.
Fix this, and accept the introduced cruft.   Tnx Wessel.

- Phase out support for services_eth0_udp, but enforce ipS_eth0; warn for
obsolete syntax

----------------- end of candidates for some upcoming release -------------

----------------- stuff which just might happen one day -------------------

- improve documentation on usage with non-fixed IPs, refer to /etc/network/if-up.d/uruk.

- using names of interfaces in names of variables is dumb.  the characters
  @ : . occur in interface names, but are not allowed in variable names.
  E.g. eth0.54@eth0 and vif6.0 and eth0:3 

- use functions
   log_daemon_msg
   log_end_msg
   log_action_msg
in init-script, see e.g. firehol init script

- Thu 20 23:13 < fvos> joostvb: ik zou de huidige rc graag gesplitst zien in 
                     meerdere losse bestanden, bijvoorbeeld 'networks', 
                     'sources' en zo. Daardoor kunnen de entries in die 
                     bestanden ook eenvoudiger namen hebben en is misschien 
                     kwaliteitscontrole op missende verwijzingen ook 
                     eenvoudiger.
Fri 21 05:37 < joostvb> fvos: een syntax-checker zou inderdaad wel handig zijn 
                        ja

- Phase out support for rc_e

- Debian package: S40uruk could better be S41uruk: explicitly start after
networking (which is S40networking).

- We setup firewall rules only _after_ the network interfaces are configured.
This is dumb: we are vulnerable for bugs in the kernel's IP stack.  One
solution for this: Create an /etc/init.d/uruk-pre script, which is run as early
as possible, and _before_ network interfaces are configured.  It should disable
all networktraffic (except for traffic on loopbackinterface).  Only later,
networkinterfaces are configured, /etc/init.d/uruk is run and networkservices
are started.  (N.B.: so even with the current setup we _do_ protect our
services).

- In uruk-rc manpage, include example rc-file verbatim.

- Create "upload" target in /Makefile.am

- Improve examples in documentation:
<Fruit> joostvb: ik geloof dat ":" een leuke shorthand is voor "alle poorten"

- Fix bugs in uruk script: (force-)reload should do something sane when
uruk not running.

- Check documentation: uruk-rc manpage needs more stuff.

- Write a wrapper for OpenBSD's pf and FreeBSD's ipfilter, so that these tools
can use the same rc file format.  We'd also have to make sure init-script
works on non-LSB-systems, then.

- Reimplement uruk-save: make it more robust.  See
http://www.faqs.org/docs/iptables/iptables-save.html for example of file
format.  Use logic from iptables-save.c.

- Think about alternative for uruk-save: create a chain, and enable it once it's
fully build by doing just one iptables call.  This would allow truly atomical
loading of new rulesets.

- Is it sane to allow all traffic in default inactive rule?

- Check save_counters support in init script.  It's likely broken.

- Date: Wed, 9 Feb 2005 15:09:16 +0100
Message-ID: <20050209140916.GZ1487@trogdor.uvt.nl>
Herken broadcasts (misschien aan destination MAC-adres?) en log ze niet.
.
alternative implementation: near code-snippet:
 # supporting this for multiple-ips would need multiple chains
 # or, perhaps, some iptables extension.
This log-spamming happens only in multiple-ip-per-nic mode.
Do DROP stuff just before log, would that work?  (No, we really can't do
something like "--dest !(ip1 or ip2 or ip3)".)
.
yet to implement: loglevel "high".  Document multiple ip per nic logspamming bug.

# this file maintained at http://git.mdcc.cx/uruk.git