Re: [Shorewall-devel] Shorewall 4.0.0 Beta 3

Thu, 07 Jun 2007 17:53:23 -0700 

On Thursday 07 June 2007 23:35, Tom Eastep wrote:
> Steven Jan Springl wrote:
> > On Thursday 07 June 2007 22:31, Steven Jan Springl wrote:
> >> On Thursday 07 June 2007 21:16, Tom Eastep wrote:
> >>> Steven Jan Springl wrote:
> >>>> The 'optional' option works.
> >>>> I will test the 'maclist' option and shorewall-shell and get back to
> >>>> you.
> >>>
> >>> Thanks!
> >>> -Tom
> >>
> >> Tom
> >>
> >> The 'maclist' option works with a bridge that does not have an IP
> >> address.
> >>
> >> When the bridge does not have an IP address, shorewall-shell produces
> >> the following message:
> >>
> >>    ERROR: Interface br0 must be up before Shorewall can start.
> >>
> >> Steven.
> >
> > Tom
> >
> > An update to the above.
> >
> > When bridge br0 does not have an IP address and interfaces contains the
> > following entry:
> >
> > lan  br0  -  bridge,optional,maclist
> >
> > Shorewall-perl works. Adding the option 'detectnets' produces the
> > following error:
> >
> >  ERROR: No hosts on br0 have the maclist option
> > specified : /etc/shorewall/maclist ( line 11 )
> >
> > This does not happen when br0 has an IP address.
>
> A rather odd-ball case. 'detectnets' is never going to work right on an
> interface with no IP address. Nevertheless, I've hacked around it
> (untested) in r6483.
>
> Note that there will be *no* MAC verification performed with this silly
> combination of configuration and options.
>
> Thanks.
> -Tom
Tom

I agree 'detectnets' is silly on interface with no IP address. I was expecting 
you to flag it as invalid in the same way that you do if the default route is 
on the interface.

I have tested revision 6484. Shorewall-perl now starts. 

If 'routeback' is added to the interface then the following iptables rules are 
generated:
        without 'detectnets'

        -A br0_fwd -m state --state INVALID,NEW -j dynamic
        -A br0_fwd -m state --state NEW -j br0_mac
        -A br0_fwd -j ACCEPT

        with 'detectnets'

        -A br0_fwd -m state --state INVALID,NEW -j dynamic

Should the '-A br0_fwd -j ACCEPT' rule not be generated when 'detectnets' is 
specified.

Steven.


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to