Tom Eastep wrote: > Steven Jan Springl wrote: >> Tom >> >> I have just been doing some testing of NOTRACK and have come across a >> discrepancy. >> The NOTRACK manual page states that only addresses are allowed in the >> DESTINATION column, while two shorewall compiler messages suggest that an >> interface is also allowed. Additionally Shorewall allows an interface to be >> coded, but then generates an invalid iptables rule. >> >> EG coding: >> >> lan:eth0 zzz >> >> produces the message: >> >> ERROR: Unknown interface (zzz) .... >> >> If I code both an interface and an IP address: >> >> lan:eth0 eth0:1.2.3.4 >> >> this produces the message: >> >> ERROR: DEST interface may not be specified with a destination IP address >> in >> the PREROUTING chain ... >> >> If I then code a valid interface: >> >> lan:eth0 eth0 >> >> the following invalid rule is generated: >> >> -A lan_notrk -i eth0 -d ETH0_NETWORKS -j NOTRACK > > Fixed by r9831. A destination interface name should actually work in the > PREROUTING case but I despair of trying to explain the limitations to > people. It is just easier to scare them off by telling them that it > isn't allowed.
I should add that correct handling of a destination interface in a PREROUTING rule is only available in 4.3 -- 4.2 rejects that usage. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
