On Mon, 2007-08-20 at 10:56 +0200, Pascal Hambourg wrote: > Andrew Ruthven a écrit : > >> > >>Shouldn't that be pre-up instead? > > > > I've just tried this and confirmed my suspicion. This will fail if you > > refer to the interface in your firewall. Since the interface isn't up > > yet (pre-up) iptables can't find the device to apply the against. > > Huh ? AFAIK iptables does not care whether the specified interface is up > or even exists. It is just text, possibly including a wildcard (+). > Doesn't your script try to extract information about the interface from > ifconfig or the like ? Of course this may fail if the interface is not > up yet.
Ahhh, I know why my test failed now. I was trying to use dummy1 as my
interface, but the box was quite rightly complaining that it doesn't
exist. I had thought I could just refer to a dummy interface and it'd
be created, it appears that isn't the case.
Testing this against another interface that really does exist confirms
that putting the iptables rules in the pre-up works.
Cheers!
--
Andrew Ruthven, Wellington, New Zealand
At home: [EMAIL PROTECTED] | This space intentionally
| left blank.
signature.asc
Description: This is a digitally signed message part
