On Sun, Jan 20, 2008 at 11:51:16PM +0530, Srinivasa Hebbar wrote: > Hello, > > I am using shorewall 3.4.4 > > When I specify an interface name in the rules file, I expected the interface > name is given > to "-i" option of iptable for all the IP addresses. But, I am seeing > different results. > > Example1: > ACCEPT loc:net0:192.168.3.1,192.168.3.2 net > tcp 80 > -The above rule gernerated the following code: > run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j ACCEPT > run_iptables -A loc2net -p tcp -s 192.168.3.2 --dport 80 -j ACCEPT > progress_message " Rule \"ACCEPT loc:net0:192.168.3.1,192.168.3.2 net > tcp 80 \" added." >
I think that this is a little subjective. First, since you can have multiple interfaces as part of a zone there is no guarantee that traffic from two or more arbitrary addresses in some zone will arrive through the same interface. Thus, I do not think that it is unreasonable to expect that the syntax you provide in Example 2 below should be considered "more correct". Second, Tom has indicated to me that fixing this to make Example 1 correct would require significant changes to two of the core functions in the Shorewall-shell compiler code. I am hesitant to embark on such invasive changes because the Shorewall-shell compiler is in maintenance mode and this looks to me like more than a bug fix. Additionally, there is significant risk of introducing a regression somewhere along the way. > Example2: > ACCEPT loc:net0:192.168.3.1,net0:192.168.3.2 net > tcp 80 > -The above rule gernerated the following code: > run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.1 --dport 80 -j ACCEPT > run_iptables -A loc2net -p tcp -i net0 -s 192.168.3.2 --dport 80 -j ACCEPT > progress_message " Rule \"ACCEPT loc:net0:192.168.3.1,net0:192.168.3.2 > net tcp 80 \" added." > > Is it required to prepend interface name for every comma seperated IP address > within > the rule? > Given that this behavior is not causing a failure (in the sense that it is not causing execution of Shorewall to halt abnormally), I think that the answer to your question is "yes". I will update the documentation to reflect that it is necessary to explicitly provide the interface name before each address in a comma separated list. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
