Date of a new release

Home Page Forums Network Management ZeroShell Date of a new release

This topic contains 39 replies, has 0 voices, and was last updated by  cybergreen 8 years, 1 month ago.

Viewing 15 posts - 1 through 15 (of 41 total)
  • Author
    Posts
  • #42330

    cybergreen
    Member

    Hi,
    I have used Zeroshell since one week. This distribution is great and the right for my Alix-board! All supported features are very useful!

    I red that the last release is about one year old. Does somebody know the date of a new release?

    thx,

    Alex

    #50002

    imported_fulvio
    Participant

    Probably in June will be released with accounting capability and per user bandwidth limitation.

    Regards
    Fulvio

    #50003

    ppalias
    Member

    Will you also fix the conflict of QoS with Netbalancer?

    #50004

    imported_fulvio
    Participant

    Yes, I’ll include the fix if it works correctly during my test.

    Regards
    Fulvio

    #50005

    ppalias
    Member

    I got the fix as well from atheling so I will test it too before being released.

    #50006

    atheling
    Member

    @ppalias wrote:

    I got the fix as well from atheling so I will test it too before being released.

    I have just emailed an updated fix to Fulvio as well as to the several people who have asked for it.

    #50007

    imported_fulvio
    Participant

    Could you post here the new patch so also ppalias can test it?

    Bye
    Fulvio

    #50008

    atheling
    Member

    @fulvio wrote:

    Could you post here the new patch so also ppalias can test it?

    Bye
    Fulvio

    I’ve emailed it to him already, but here is the patch for anyone else who wants to try it.

    On a Linux/Unix/Macintosh box you should be able to copy the following into a file, get the source files from the Zeroshell Beta 12 release then use the patch utility to update the sources.

    (Edit: Rebuilt patch file telling diff to ignore white space changes.)


    Index: kerbynet.cgi/scripts/fw_initrules
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_initrules,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 fw_initrules
    --- kerbynet.cgi/scripts/fw_initrules 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/fw_initrules 1 Dec 2009 03:51:40 -0000
    @@ -2,13 +2,13 @@
    . /etc/kerbynet.conf
    CHAIN="$1"
    [ -z "$CHAIN" ] && exit 1
    CONFIG="$REGISTER/system/net/FW/"
    if [ "$CHAIN" == QoS ] ; then
    TABLE="-t mangle"
    - CH=FORWARD
    + CH=QoS
    else
    if [ "$CHAIN" == NetBalancer ] ; then
    TABLE="-t mangle"
    CH=NetBalancer
    else
    TABLE=""
    @@ -23,12 +23,16 @@
    iptables -A INPUT -j SYS_INPUT
    iptables -A INPUT -p tcp --dport 80 -j SYS_HTTPS
    iptables -A INPUT -p tcp --dport 443 -j SYS_HTTPS
    iptables -A INPUT -p tcp --dport 22 -j SYS_SSH
    fi
    [ "$CHAIN" == OUTPUT ] && iptables -A OUTPUT -j SYS_OUTPUT
    + # If we are doing the QoS chain, thenlear any marks left over from
    + # Netbalancing/failover routing. The QoS chain is applied after
    + # routing so there is no conflict.
    + [ "$CHAIN" == "QoS" ] && iptables $TABLE -A $CH -j MARK --set-mark 0x0
    if [ -d $CONFIG/Chains/$CHAIN/Rules ] ; then
    cd $CONFIG/Chains/$CHAIN/Rules
    RULES=`ls`
    for RULE in $RULES ; do
    ENABLED="`cat $RULE/Enabled 2>/dev/null`"
    if [ "$ENABLED" == yes ] ; then
    Index: kerbynet.cgi/scripts/fw_makerule
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_makerule,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 fw_makerule
    --- kerbynet.cgi/scripts/fw_makerule 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/fw_makerule 1 Dec 2009 03:32:42 -0000
    @@ -4,13 +4,13 @@
    RULE="$2"
    OPT="$3"
    [ -z "$CHAIN" -a -z "$RULE" ] && exit 1
    CONFIG="$REGISTER/system/net/FW"
    if [ "$CHAIN" = QoS ] ; then
    TABLE="-t mangle"
    - CH=FORWARD
    + CH=QoS
    else
    if [ "$CHAIN" = NetBalancer ] ; then
    TABLE="-t mangle"
    CH=NetBalancer
    else
    TABLE=""
    @@ -411,13 +411,13 @@
    iptables $TABLE $IPT $TGT
    if [ "$CHAIN" == QoS ] ; then
    TGTDSCP=`cat $REGISTER/system/net/QoS/Class/$TARGET/DSCP 2>/dev/null`
    if [ -n "$TGTDSCP" ] ; then
    iptables $TABLE $IPT -j DSCP --set-dscp $TGTDSCP
    fi
    - iptables -t mangle -A FORWARD -m mark ! --mark 0 -j ACCEPT
    + iptables -t mangle -A QoS -m mark ! --mark 0 -j ACCEPT
    fi
    if [ "$CHAIN" == NetBalancer ] ; then
    [ "$TARGET" != Auto ] && iptables -t mangle -A NetBalancer -m mark ! --mark 0 -j ACCEPT
    fi
    fi
    fi
    Index: kerbynet.cgi/scripts/fw_start
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_start,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 fw_start
    --- kerbynet.cgi/scripts/fw_start 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/fw_start 30 Nov 2009 22:10:47 -0000
    @@ -10,12 +10,18 @@
    iptables -t mangle -F NetBalancer 2>/dev/null
    iptables -t mangle -X NetBalancer 2>/dev/null
    iptables -t mangle -N NetBalancer 2>/dev/null
    iptables -t mangle -F OpenVPN 2>/dev/null
    iptables -t mangle -X OpenVPN 2>/dev/null
    iptables -t mangle -N OpenVPN 2>/dev/null
    +iptables -t mangle -F QoS 2>/dev/null
    +iptables -t mangle -X QoS 2>/dev/null
    +iptables -t mangle -N QoS 2>/dev/null
    +iptables -t mangle -F NB_CT_PRE 2>/dev/null
    +iptables -t mangle -X NB_CT_PRE 2>/dev/null
    +iptables -t mangle -N NB_CT_PRE 2>/dev/null
    [ "$CPGW" == yes ] && iptables -N CapPort
    $SCRIPTS/fw_https_chain
    $SCRIPTS/fw_ssh_chain
    $SCRIPTS/fw_sys_chain
    CHAINS=`ls`
    for C in $CHAINS ; do
    Index: kerbynet.cgi/scripts/fw_viewchain
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_viewchain,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 fw_viewchain
    --- kerbynet.cgi/scripts/fw_viewchain 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/fw_viewchain 30 Nov 2009 19:30:43 -0000
    @@ -1,7 +1,7 @@
    #!/bin/sh
    . /etc/kerbynet.conf
    CHAIN="$1"
    [ -z "$CHAIN" ] && exit 1
    -[ "$CHAIN" == QoS ] && CHAIN="FORWARD -t mangle"
    +[ "$CHAIN" == QoS ] && CHAIN="QoS -t mangle"
    [ "$CHAIN" == NetBalancer ] && CHAIN="NetBalancer -t mangle"
    iptables -n -v -L $CHAIN
    Index: kerbynet.cgi/scripts/nb_fw
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/nb_fw,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 nb_fw
    --- kerbynet.cgi/scripts/nb_fw 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/nb_fw 10 Apr 2010 13:44:21 -0000
    @@ -1,23 +1,35 @@
    #!/bin/sh
    . /etc/kerbynet.conf
    iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark 2>/dev/null
    +iptables -t mangle -D PREROUTING -m state --state NEW -j NB_CT_PRE 2>/dev/null
    iptables -t mangle -D PREROUTING -j NetBalancer 2>/dev/null
    +iptables -t mangle -D INPUT -m state --state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -D INPUT -j NetBalancer 2>/dev/null
    +iptables -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null
    iptables -t mangle -D OUTPUT -j NetBalancer 2>/dev/null
    iptables -t mangle -D OUTPUT -j OpenVPN 2>/dev/null
    iptables -t mangle -D POSTROUTING -m state --state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -D POSTROUTING -j NB_STAT 2>/dev/null
    +# Need QoS to be done in mangle POSTROUTING. Note that if NetBalance
    +# is enabled then we will insert those rules/chains first. So any
    +# routing marks will be handled before we blow them away with QoS
    +# marks.
    +iptables -t mangle -D POSTROUTING -j QoS 2>/dev/null
    +iptables -t mangle -I POSTROUTING 1 -j QoS 2>/dev/null
    if [ "`cat $REGISTER/system/net/nb/Enabled 2>/dev/null`" = yes ] ; then
    iptables -t mangle -I PREROUTING 1 -j CONNMARK --restore-mark
    - iptables -t mangle -I PREROUTING 2 -j NetBalancer
    + iptables -t mangle -I PREROUTING 2 -m state --state NEW -j NB_CT_PRE 2>/dev/null
    + iptables -t mangle -I PREROUTING 3 -j NetBalancer
    + iptables -t mangle -I INPUT 1 -m state --state NEW -j NB_CT_POST 2>/dev/null
    + iptables -t mangle -I INPUT 2 -j NetBalancer
    + iptables -t mangle -I OUTPUT 1 -j CONNMARK --restore-mark
    + iptables -t mangle -I OUTPUT 2 -j NetBalancer
    + iptables -t mangle -I OUTPUT 3 -j OpenVPN
    iptables -t mangle -I POSTROUTING 1 -m state --state NEW -j NB_CT_POST 2>/dev/null
    iptables -t mangle -I POSTROUTING 2 -j NB_STAT 2>/dev/null
    - iptables -t mangle -I INPUT 1 -j NetBalancer
    - iptables -t mangle -I OUTPUT 1 -j NetBalancer
    - iptables -t mangle -I OUTPUT 2 -j OpenVPN
    fi
    $SCRIPTS/nb_vpn 2> /dev/null
    $SCRIPTS/nb_setautomarking 2>/dev/null



    Index: kerbynet.cgi/scripts/nb_setautomarking
    ===================================================================
    RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/nb_setautomarking,v
    retrieving revision 1.1.1.1
    diff -w -u -6 -r1.1.1.1 nb_setautomarking
    --- kerbynet.cgi/scripts/nb_setautomarking 26 Nov 2009 22:13:35 -0000 1.1.1.1
    +++ kerbynet.cgi/scripts/nb_setautomarking 4 Dec 2009 03:41:47 -0000
    @@ -3,27 +3,56 @@
    CONFIG=$REGISTER/system/net/nb/Gateways
    cd $CONFIG
    function set_gwmark {
    xGW="$1"
    INTERFACE=`cat $xGW/Interface 2>/dev/null`
    IP=`cat $xGW/IP 2>/dev/null`
    + # Set up the pre-routing chain for new connections from this Gateway. We want
    + # to mark all traffic originating from this gateway to be routed back out to the
    + #same gateway.
    +
    + # If this Gateway has no interface device defined for it, see if we can get
    + # one based on the next hop IP address
    + if [ "$INTERFACE" == "" ] ; then
    + if [ "$IP" != "" ] ; then
    + INTERFACE=`ip route get $IP | grep -o "dev w*" | awk 'BEGIN {FS=" "}{print $2}'`
    + fi
    + fi
    + # If we have found the interface, then mark all traffic coming in on it to use
    + # it for outbound responses
    + if [ "$INTERFACE" != "" ] ; then
    + if ! iptables -t mangle -L NB_CT_PRE -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
    + [ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_CT_PRE 1 -i $INTERFACE -j MARK --set-mark 1$xGW
    + else
    + [ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_CT_PRE -i $INTERFACE -j MARK --set-mark 1$xGW
    + fi
    + fi
    +
    + # In the post routing phase, we want to get the the routing realm used for new
    + # connections and save it in the connection. First setp here is to get the mark
    + # and put it on the packet. Our caller will emit the code to save the marks to
    + # the connection.
    if ! iptables -t mangle -L NB_CT_POST -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
    [ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_CT_POST 1 -m realm --realm 1$xGW -j MARK --set-mark 1$xGW
    else
    [ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_CT_POST -m realm --realm 1$xGW -j MARK --set-mark 1$xGW
    fi
    +
    + # Make the entry in the statistics chain so we can track how much traffic went
    + # over each gateway
    if ! iptables -t mangle -L NB_STAT -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
    [ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_STAT 1 -m mark --mark 1$xGW
    else
    [ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_STAT -m mark --mark 1$xGW
    fi
    }
    GW="$1"
    if [ -z "$GW" ] ; then
    GW=`ls -d ?? 2>/dev/null`
    iptables -t mangle -F NB_CT_POST
    + iptables -t mangle -F NB_CT_PRE
    iptables -t mangle -F NB_STAT
    for G in $GW ; do
    set_gwmark $G
    done
    iptables -t mangle -D NB_CT_POST -j CONNMARK --save-mark 2> /dev/null
    iptables -t mangle -A NB_CT_POST -j CONNMARK --save-mark
    #50009

    ppalias
    Member

    I patched my edge router with atheling’s patch during the weekend, switched the netbalancer to netbalancing+failover from just failover and assigned equal weights to the 2 wan links.So far

    • ACKs and replies to incoming traffic seems to be correctly routed back out from the same wan
    • QoS matches packets correctly, at least the counters are going up. However ssh has a smooth feeling, which could mean that it is working indeed very well.
    • No service disruption or disconnects on Instant Messengers, due to change of gateway.

    I haven’t tested so far the OpenVPN to verify that packets are routed out from the correct interface, but I can’t see a reason why it shouldn’t work.
    I will continue testing so that we are all sure that it can be included in the next release.
    Congratulations atheling, that was a very good work!

    #50010

    orallo
    Member

    Can anyone post detailed process for patching a system??

    I’ve tryed copying the patch to kerbynet.cgi folder and then issuing the command:

    patch -p0 < Zeroshell.3.patch

    And that patches 6 files on the scripts folder

    patching file scripts/fw_initrules
    patching file scripts/fw_makerule
    patching file scripts/fw_start
    patching file scripts/fw_viewchain
    patching file scripts/nb_fw
    patching file scripts/nb_setautomarking

    BUT when I reboot the system the changes are lost and If I DONT reboot the system when I try to modify rules on the QoS classifier and click on “Confirm” to save and close the popup with the rule details, it doesnt close and I get:

    iptables: No chain/target/match by that name

    in red text at the bottom of the window.

    Help anybody?

    Thanks in advance,

    #50011

    atheling
    Member

    Most of the filesystem is actually RAM based and is created and loaded up during boot. The stuff that survives reboot is in /Database.

    So what I have done is create a directory /Database/custom/ and it it I have placed the patched versions of any script files.

    Then under the “Startup/cron” tab under “SYSTEM” “Setup”, I have put the following into the “pre-boot” script:


    modprobe nf_nat_sip
    for file in /Database/custom/*
    do
    cp ${file} /root/kerbynet.cgi/scripts/
    done

    This copies my patched files into the correct place for them to be executed.

    (The modprobe nf_nat_sip seems to be needed for my VoIP stuff to work. And that is a separate issue from the net balance/QoS problems that the patches address.)

    #50012

    atheling
    Member

    @ppalias wrote:

    …snip…I haven’t tested so far the OpenVPN to verify that packets are routed out from the correct interface, but I can’t see a reason why it shouldn’t work. …snip…

    I did go to the local public library yesterday where they have free WiFi and was able to connect to both my WAN interfaces using OpenVPN. Seemed to work okay with the ping times to an inside box about right for the two different WAN latencies.

    #50013

    orallo
    Member

    Outstanding, thanks a lot, I am rebooting my ZS box right now to try all the changes.

    Thanks again atheling,

    Orallo.

    #50014

    ppalias
    Member

    Weird thing is that zeroshell.net forum that doesn’t support coockies still is confused and asks for user-pass each time I refresh a page. Looks like we cannot avoid the static route…

    #50015

    atheling
    Member

    @ppalias wrote:

    Weird thing is that zeroshell.net forum that doesn’t support coockies still is confused and asks for user-pass each time I refresh a page. Looks like we cannot avoid the static route…

    I think the issue is routing persistence across multiple TCP sessions. The fixes I put in only keep a TCP session going to the correct interface. The next TCP session will do a fresh pick of the WAN interface to use.

    Since each page refresh on a web site is a new TCP session there is a good possibility, depending on your load balancing metric, that the new session will be on a different interface.

    In my case that hasn’t been a problem as I have a 100:1 ratio in speed between my two ISP and the slow one has enough traffic from incoming mail and VoIP that pretty much everything internally generated gets routed on the high speed ISP.

    I haven’t yet looked into how one can make route persistence work across multiple TCP connections. This will be needed not just for this site to make cookies work but for any HTTPS site.

Viewing 15 posts - 1 through 15 (of 41 total)

You must be logged in to reply to this topic.