On Monday 13 September 2010 21:48:57 Tom Eastep wrote:
> On 09/13/2010 01:26 PM, Steven Jan Springl wrote:
> > On Monday 13 September 2010 21:18:25 Tom Eastep wrote:
> >> On 9/13/10 12:29 PM, Steven Jan Springl wrote:
> >>> Interface entry:
> >>>
> >>> rest xyz nets=dynamic,optional
> >>>
> >>> produces the following message:
> >>>
> >>> iptables-restore v1.4.9.1: Set rest_xyz doesn't exist.
> >>>
> >>> Note: Shorewall starts when a host entry such as the following is
> >>> defined, so I know that ipset is working:
> >>>
> >>> z1 eth1:dynamic tcpflags
> >>
> >> what does 'fgrep IPSET <compiled script>' produce, Steven?
> >
> > See attached file.
>
> Steven,
>
> I can't understand why z1_eth1 would be created and rest_xyz would not; the
> lines that create the two sets if they don't exist should be adjacent in
> the script.
>
> qt $IPSET -L rest_xyz -n || $IPSET -N rest_xyz iphash
> qt $IPSET -L z1_eth1 -n || $IPSET -N z1_eth1 iphash
>
> -Tom
Tom
If I start the firewall without an interface defined as dynamic.
Change an interface to dynamic and restart the firewall, it works.
In the attached part of the script generated from a 'shorewall compile ... '
it can be seen that IPSET is not executed on a 'shorewall start'
Steven.
if [ "$COMMAND" = start ]; then
if [ -f ${VARDIR}/ipsets.save ]; then
$IPSET -F
$IPSET -X
$IPSET -R < ${VARDIR}/ipsets.save
fi
elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then
if [ -f $(my_pathname)-ipsets ]; then
if chain_exists shorewall; then
startup_error "Cannot restore $(my_pathname)-ipsets with
Shorewall running"
else
$IPSET -F
$IPSET -X
$IPSET -R < $(my_pathname)-ipsets
fi
fi
qt $IPSET -L dmz_eth1 -n || $IPSET -N dmz_eth1 iphash
elif [ "$COMMAND" = restart ]; then
qt $IPSET -L dmz_eth1 -n || $IPSET -N dmz_eth1 iphash
if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3
]; then
#
# The 'grep -v' is a hack for a bug in ipset's nethash
implementation when xtables-addons is applied to Lenny
#
hack='| grep -v /31'
else
hack=
fi
if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp
${VARDIR}/ipsets.save
fi
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
