Re: [Shorewall-users] Fw: IPV6 Tunnel Ping Fail

2018-04-06 Thread colony.three--- via Shorewall-users 
‐‐‐ Original Message ‐‐‐

On April 6, 2018 2:32 PM, Tom Eastep  wrote:

> ​​
> 
> On 04/06/2018 01:22 PM, colony.three--- via Shorewall-users wrote:
> 
> > ‐‐‐ Original Message ‐‐‐
> > 
> > On April 6, 2018 11:58 AM, colony.th...@protonmail.ch wrote:
> > 
> > > ‐‐‐ Original Message ‐‐‐
> > > 
> > > On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote:
> > > 
> > > > > After shorewall6 clear, ping6 just hangs.
> > > > > 
> > > > > ping6 google.com
> > > > > 
> > > > > 
> > > > > PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) 
> > > > > 56 data bytes
> > > > > 
> > > > > ^C
> > > > > 
> > > > > --- google.com ping statistics ---
> > > > > 
> > > > > 20 packets transmitted, 0 received, 100% packet loss, time 19000ms
> > > > 
> > > > You routing is all screwed up. You are trying to use the same /64 on
> > > > 
> > > > three different networks. When you get a tunnel from HE, you get two /64
> > > > 
> > > > networks: one on the sit device, and one to use in your local 
> > > > network(s).
> > > > 
> > > > You can subdivide the second /64 between multiple networks, but then the
> > > > 
> > > > prefix length for those networks must be > 64 and you cannot use
> > > > 
> > > > stateless autoconfiguration.
> > > > 
> > > > -Tom
> > > > 
> > > > Tom Eastep \ Q: What do you get when you cross a mobster with
> > > > 
> > > > Shoreline, \ an international standard?
> > > > 
> > > > Washington, USA \ A: Someone who makes you an offer you can't
> > > > 
> > > > http://shorewall.org \ understand
> > > 
> > > Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, 
> > > and for the LAN I've set 2001:470:b:c3::/64 like they say.
> > > 
> > > ip -6 route
> > > ===
> > > 
> > > unreachable ::/96 dev lo metric 1024 error -113
> > > 
> > > unreachable :::0.0.0.0/96 dev lo metric 1024 error -113
> > > 
> > > 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256
> > > 
> > > 2001:470:b:c3::/64 dev eth1 proto kernel metric 256
> > > 
> > > 2001:470:b:c3::/64 dev eth2 proto kernel metric 256
> > > 
> > > unreachable 2002:a00::/24 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:7f00::/24 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:ac10::/28 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
> > > 
> > > unreachable 2002:e000::/19 dev lo metric 1024 error -113
> > > 
> > > unreachable 3ffe:::/32 dev lo metric 1024 error -113
> > > 
> > > fe80::/64 dev eth1 proto kernel metric 256
> > > 
> > > fe80::/64 dev eth2 proto kernel metric 256
> > > 
> > > fe80::/64 dev eth0 proto kernel metric 256
> > > 
> > > fe80::/64 dev he-ipv6 proto kernel metric 256
> > > 
> > > default dev he-ipv6 metric 1024
> > > 
> > > True I don't have a gateway set on eth1, but that -is- the LAN gateway.
> > > 
> > > To set up the tunnel I'm using the systemd service copied almost 
> > > word-for-word from the Arch doc:
> > > 
> > > [Unit]
> > > 
> > > Description=he.net IPv6 tunnel
> > > 
> > > After=network.target
> > > 
> > > [Service]
> > > 
> > > Type=oneshot
> > > 
> > > RemainAfterExit=yes
> > > 
> > > ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 
> > > local 50.47.100.167 ttl 255
> > > 
> > > ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480
> > > 
> > > ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6
> > > 
> > > ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6
> > > 
> > > ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6
> > > 
> > > ExecStop=/usr/sbin/ip link set he-ipv6 down
> > > 
> > > ExecStop=/usr/sbin/ip tunnel del he-ipv6
> > > 
> > > [Install]
> > > 
> > > WantedBy=multi-user.target
> > 
> > I must be being dense here. Can someone please explain what Ton is telling 
> > me here?
> 
> What I am telling you is that you have these two routes:
> 
> fe80::/64 dev eth2 proto kernel metric 256
> 
> fe80::/64 dev eth1 proto kernel metric 256
> 
> So the hosts connected to one of those are going to be unreachable. You
> 
> need to configure the IP addresses on those devices as /72, not /64,
> 
> which means that you will have to assign IP addresses to hosts connected
> 
> to those interfaces manually or using DHCPv6. You will not be able to
> 
> use stateless auto configuration.
> 
> You have not told us where you are trying to ping from -- firewall or
> 
> host behind the firewall? But you are not allowing Ping from any pkace
> 
> to any other place in this configuration; AllowICMPs does not allow
> 
> ping; it only allows those ICMPs specified by RFC 4890 as 'must allow'
> 
> by routers. That explains the errors when Shorewall is started. But it
> 
> doesn't explain the issue when Shorewall is cleared. With Shorewall
> 
> cleared, can you ping 2001:470:a:c3::1?
> 
> -Tom
> 
> 
>

Re: [Shorewall-users] Do SNAT rules support ipsets?

2018-04-06 Thread Igor Sverkos 
Hi Tom,

thank you!

I took the opportunity, created my own Debian packages and upgraded to 5.1.12.3.

If the Debian maintainer is following this list: Would be nice to see
a package bump in 9.5 :)


-- 
Regards,
Igor

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Fw: IPV6 Tunnel Ping Fail

2018-04-06 Thread Tom Eastep 
On 04/06/2018 01:22 PM, colony.three--- via Shorewall-users wrote:
> 
> ‐‐‐ Original Message ‐‐‐
> 
> On April 6, 2018 11:58 AM,  wrote:
> 
>> ​​
>>
>> ‐‐‐ Original Message ‐‐‐
>>
>> On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote:
>>
 After shorewall6 clear, ping6 just hangs.

 ping6 google.com
 

 PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) 56 
 data bytes

 ^C

 --- google.com ping statistics ---

 20 packets transmitted, 0 received, 100% packet loss, time 19000ms
>>>
>>> You routing is all screwed up. You are trying to use the same /64 on
>>>
>>> three different networks. When you get a tunnel from HE, you get two /64
>>>
>>> networks: one on the sit device, and one to use in your local network(s).
>>>
>>> You can subdivide the second /64 between multiple networks, but then the
>>>
>>> prefix length for those networks must be > 64 and you cannot use
>>>
>>> stateless autoconfiguration.
>>>
>>> -Tom
>>>
>>> Tom Eastep \ Q: What do you get when you cross a mobster with
>>>
>>> Shoreline, \ an international standard?
>>>
>>> Washington, USA \ A: Someone who makes you an offer you can't
>>>
>>> http://shorewall.org \ understand
>>
>> Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, and 
>> for the LAN I've set 2001:470:b:c3::/64 like they say.
>>
>> ip -6 route
>> ===
>>
>> unreachable ::/96 dev lo metric 1024 error -113
>>
>> unreachable :::0.0.0.0/96 dev lo metric 1024 error -113
>>
>> 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256
>>
>> 2001:470:b:c3::/64 dev eth1 proto kernel metric 256
>>
>> 2001:470:b:c3::/64 dev eth2 proto kernel metric 256
>>
>> unreachable 2002:a00::/24 dev lo metric 1024 error -113
>>
>> unreachable 2002:7f00::/24 dev lo metric 1024 error -113
>>
>> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
>>
>> unreachable 2002:ac10::/28 dev lo metric 1024 error -113
>>
>> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
>>
>> unreachable 2002:e000::/19 dev lo metric 1024 error -113
>>
>> unreachable 3ffe:::/32 dev lo metric 1024 error -113
>>
>> fe80::/64 dev eth1 proto kernel metric 256
>>
>> fe80::/64 dev eth2 proto kernel metric 256
>>
>> fe80::/64 dev eth0 proto kernel metric 256
>>
>> fe80::/64 dev he-ipv6 proto kernel metric 256
>>
>> default dev he-ipv6 metric 1024
>>
>> True I don't have a gateway set on eth1, but that -is- the LAN gateway.
>>
>> To set up the tunnel I'm using the systemd service copied almost 
>> word-for-word from the Arch doc:
>>
>> [Unit]
>>
>> Description=he.net IPv6 tunnel
>>
>> After=network.target
>>
>> [Service]
>>
>> Type=oneshot
>>
>> RemainAfterExit=yes
>>
>> ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 
>> local 50.47.100.167 ttl 255
>>
>> ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480
>>
>> ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6
>>
>> ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6
>>
>> ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6
>>
>> ExecStop=/usr/sbin/ip link set he-ipv6 down
>>
>> ExecStop=/usr/sbin/ip tunnel del he-ipv6
>>
>> [Install]
>>
>> WantedBy=multi-user.target
> 
> 
> I must be being dense here.  Can someone please explain what Ton is telling 
> me here?
> 

What I am telling you is that you have these two routes:

fe80::/64 dev eth2 proto kernel metric 256
fe80::/64 dev eth1 proto kernel metric 256

So the hosts connected to one of those are going to be unreachable. You
need to configure the IP addresses on those devices as /72, not /64,
which means that you will have to assign IP addresses to hosts connected
to those interfaces manually or using DHCPv6. You will not be able to
use stateless auto configuration.

You have not told us where you are trying to ping from -- firewall or
host behind the firewall? But you are not allowing Ping from any pkace
to any other place in this configuration; AllowICMPs does *not* allow
ping; it only allows those ICMPs specified by RFC 4890 as 'must allow'
by routers. That explains the errors when Shorewall is started. But it
doesn't explain the issue when Shorewall is cleared. With Shorewall
cleared, can you ping 2001:470:a:c3::1?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net

Re: [Shorewall-users] Fw: IPV6 Tunnel Ping Fail

2018-04-06 Thread colony.three--- via Shorewall-users 

‐‐‐ Original Message ‐‐‐

On April 6, 2018 11:58 AM,  wrote:

> ​​
> 
> ‐‐‐ Original Message ‐‐‐
> 
> On April 6, 2018 11:44 AM, Tom Eastep teas...@shorewall.net wrote:
> 
> > > After shorewall6 clear, ping6 just hangs.
> > > 
> > > ping6 google.com
> > > 
> > > 
> > > PING google.com(sea15s01-in-x0e.1e100.net (2607:f8b0:400a:806::200e)) 56 
> > > data bytes
> > > 
> > > ^C
> > > 
> > > --- google.com ping statistics ---
> > > 
> > > 20 packets transmitted, 0 received, 100% packet loss, time 19000ms
> > 
> > You routing is all screwed up. You are trying to use the same /64 on
> > 
> > three different networks. When you get a tunnel from HE, you get two /64
> > 
> > networks: one on the sit device, and one to use in your local network(s).
> > 
> > You can subdivide the second /64 between multiple networks, but then the
> > 
> > prefix length for those networks must be > 64 and you cannot use
> > 
> > stateless autoconfiguration.
> > 
> > -Tom
> > 
> > Tom Eastep \ Q: What do you get when you cross a mobster with
> > 
> > Shoreline, \ an international standard?
> > 
> > Washington, USA \ A: Someone who makes you an offer you can't
> > 
> > http://shorewall.org \ understand
> 
> Understand, but I do have 2001:470:a:c3::2 set on the tunnel interface, and 
> for the LAN I've set 2001:470:b:c3::/64 like they say.
> 
> ip -6 route
> ===
> 
> unreachable ::/96 dev lo metric 1024 error -113
> 
> unreachable :::0.0.0.0/96 dev lo metric 1024 error -113
> 
> 2001:470:a:c3::/64 dev he-ipv6 proto kernel metric 256
> 
> 2001:470:b:c3::/64 dev eth1 proto kernel metric 256
> 
> 2001:470:b:c3::/64 dev eth2 proto kernel metric 256
> 
> unreachable 2002:a00::/24 dev lo metric 1024 error -113
> 
> unreachable 2002:7f00::/24 dev lo metric 1024 error -113
> 
> unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
> 
> unreachable 2002:ac10::/28 dev lo metric 1024 error -113
> 
> unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
> 
> unreachable 2002:e000::/19 dev lo metric 1024 error -113
> 
> unreachable 3ffe:::/32 dev lo metric 1024 error -113
> 
> fe80::/64 dev eth1 proto kernel metric 256
> 
> fe80::/64 dev eth2 proto kernel metric 256
> 
> fe80::/64 dev eth0 proto kernel metric 256
> 
> fe80::/64 dev he-ipv6 proto kernel metric 256
> 
> default dev he-ipv6 metric 1024
> 
> True I don't have a gateway set on eth1, but that -is- the LAN gateway.
> 
> To set up the tunnel I'm using the systemd service copied almost 
> word-for-word from the Arch doc:
> 
> [Unit]
> 
> Description=he.net IPv6 tunnel
> 
> After=network.target
> 
> [Service]
> 
> Type=oneshot
> 
> RemainAfterExit=yes
> 
> ExecStart=/usr/sbin/ip tunnel add he-ipv6 mode sit remote 216.218.226.238 
> local 50.47.100.167 ttl 255
> 
> ExecStart=/usr/sbin/ip link set he-ipv6 up mtu 1480
> 
> ExecStart=/usr/sbin/ip addr add 2001:470:a:c3::2/64 dev he-ipv6
> 
> ExecStart=/usr/sbin/ip -6 route add ::/0 dev he-ipv6
> 
> ExecStop=/usr/sbin/ip -6 route del ::/0 dev he-ipv6
> 
> ExecStop=/usr/sbin/ip link set he-ipv6 down
> 
> ExecStop=/usr/sbin/ip tunnel del he-ipv6
> 
> [Install]
> 
> WantedBy=multi-user.target


I must be being dense here.  Can someone please explain what Ton is telling me 
here?

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] IPV6 Tunnel Ping Fail

2018-04-06 Thread colony.three--- via Shorewall-users 
‐‐‐ Original Message ‐‐‐
On April 6, 2018 11:18 AM, colony.three--- via Shorewall-users 
 wrote:

> # ip address
> 7: he-ipv6@NONE:  mtu 1480 qdisc noqueue state 
> UNKNOWN qlen 1
> link/sit 50.47.100.167 peer 216.218.226.238
> inet6 2001:470:a:c3::2/64 scope global
>valid_lft forever preferred_lft forever
> inet6 fe80::322f:64a7/64 scope link
>valid_lft forever preferred_lft forever
> # ip -6 neighbor
>
> # ping6 google.com
> PING google.com(dfw25s08-in-x0e.1e100.net (2607:f8b0:4000:801::200e)) 56 data 
> bytes
> From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) 
> icmp_seq=1 Destination unreachable: Address unreachable
> ping: sendmsg: Operation not permitted
> From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) 
> icmp_seq=2 Destination unreachable: Address unreachable
> ping: sendmsg: Operation not permitted
> From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) 
> icmp_seq=3 Destination unreachable: Address unreachable
> ping: sendmsg: Operation not permitted
>
> Shorewall dump sent to Tom.

I know that incoming ping is required for a Hurricane tunnel, and I've allowed 
this:
Ping(ACCEPT)   net:66.220.2.74  $FW

(I don't want anyone else to ping) (CentOS7.4)

But I don't know whether there needs to be an IPV6 ping incoming, and there are 
no Shorewall6 messages in dmesg.

I can't find any evidence of how to allow protocol 41.

Hopefully LAN passage through this router VM is covered with:
net.ipv6.ip_forward = 1

G**gle is baffled.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] IPV6 Tunnel Ping Fail

2018-04-06 Thread colony.three--- via Shorewall-users 
# ip address
7: he-ipv6@NONE:  mtu 1480 qdisc noqueue state 
UNKNOWN qlen 1
link/sit 50.47.100.167 peer 216.218.226.238
inet6 2001:470:a:c3::2/64 scope global
   valid_lft forever preferred_lft forever
inet6 fe80::322f:64a7/64 scope link
   valid_lft forever preferred_lft forever
# ip -6 neighbor

# ping6 google.com
PING google.com(dfw25s08-in-x0e.1e100.net (2607:f8b0:4000:801::200e)) 56 data 
bytes
From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) 
icmp_seq=1 Destination unreachable: Address unreachable
ping: sendmsg: Operation not permitted
From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) 
icmp_seq=2 Destination unreachable: Address unreachable
ping: sendmsg: Operation not permitted
From Quantumn-1-pt.tunnel.tserv14.sea1.ipv6.he.net (2001:470:a:c3::2) 
icmp_seq=3 Destination unreachable: Address unreachable
ping: sendmsg: Operation not permitted

Shorewall dump sent to Tom.--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Do SNAT rules support ipsets?

2018-04-06 Thread Tom Eastep 
On 04/06/2018 09:42 AM, Tom Eastep wrote:
> On 04/05/2018 07:50 PM, Igor Sverkos wrote:
> 
> It is a bug that was corrected in Shorewall 5.1.7.
> 

Attached is the patch.

patch /usr/share/shorewall/Shorewall/Rules.pm < commit-3b373f3

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___
From 3b373f3f215208b41f70783f8969f48cfc1766d1 Mon Sep 17 00:00:00 2001
From: Tom Eastep 
Date: Tue, 5 Sep 2017 10:45:17 -0700
Subject: Correct handling of ipsets in the DEST column of the snat file

- Also corrected handling of exclusion

Signed-off-by: Tom Eastep 

diff --git a/Shorewall/Perl/Shorewall/Rules.pm 
b/Shorewall/Perl/Shorewall/Rules.pm
index 379be8923..649c4f018 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -5286,7 +5286,7 @@ sub process_snat1(  ) {
$interfaces = $1;
} elsif ( $dest =~ /^([^:]+):([^:]*)$/ ) {
my ( $one, $two ) = ( $1, $2 );
-   if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+   if ( $2 =~ /\./ || $2 =~ /^[+%!]/ ) {
$interfaces = $one;
$destnets = $two;
} else {


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Do SNAT rules support ipsets?

2018-04-06 Thread Tom Eastep 
On 04/05/2018 07:50 PM, Igor Sverkos wrote:
> Hi,
> 
> I am on Debian Stretch system with multiple IP addresses and 
> shorewall-5.0.15.6.
> 
> I have set "/etc/shorewall/snat" to
> 
>> SNAT(1.2.3.4)0.0.0.0/0   eth0:+ip_restricted_endpoints[dst]
> 
> My expectation:
> 
> Whenever I try to contact an IPv4 address listed in
> "ip_restricted_endpoints" ipset I expect that the IP address 1.2.3.4
> should be used as outgoing IP address.
> 
> 
> But it looks like this doesn't work. It looks like every outgoing
> traffic now uses IP 1.2.3.4.
> I noticed that because I have set "smtp_bind_address = 4.3.2.1" in my
> postfix instance however I see postfix connecting via 1.2.3.4 to other
> mail servers.
> 
> When I run `shorewall list nat` I see
> 
>> Chain POSTROUTING (policy ACCEPT 10119 packets, 716K bytes)
>>  pkts bytes target prot opt in out source   
>> destination
>> 17491  951K SNAT   all  --  *  eth0  0.0.0.0/00.0.0.0/0  
>>   to:1.2.3.4
> 
> I would expect to see something like
> 
>> 0 0 ACCEPT tcp  --  *  *   0.0.0.0/04.4.2.2  
>>  tcp dpt:22 match-set ssh-whitelist src
> 
> 
> 
> 
> I.e. "match-set" command (this is from a a normal rule in rules file
> where I use an ipset to control addresses which can ssh into this
> box).
> 
> Also, iptables file in /var/lib/shorewall just contains
> 
>> ...
>> :POSTROUTING ACCEPT [0:0]
>> -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
>> COMMIT
>> ...
> 
> So this all looks like snat doesn't support ipsets.
> 
> However, `man shorewall-snat` says
> 
>> DEST - {[+]interface[:[digit]][:[dest-address[,dest-address]...[exclusion]]}
>> ...
>>
>> The interface may be qualified by adding the character ":" followed by a 
>> comma-separated list of
>> destination host or subnet addresses to indicate that you only want to 
>> change the source IP address for
>> packets being sent to those particular destinations. Exclusion is 
>> allowed (see shorewall-exclusion[10](5))
>> as are ipset names preceded by a plus sign '+';
>> ^^
> 
> so I would think it should be supported?! Maybe a bug?
> 

It is a bug that was corrected in Shorewall 5.1.7.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users