On 09/22/2010 11:08 AM, Mr Dash Four wrote: > OK, I've done some testing and it works, though I came across something > I am not sure it is to do with Shorewall: > > 1. ipset allows for macipmap to be defined - that is ip,mac > combinations. Even though I did define such a set and set it properly in > my rules file (which Shorewall translated properly) I do not seem to be > able to get a match - don't know why. > > For example, I've set my local test bed with its ip,mac combo (i.e. > src-ip-set[src,src]), I've got Shorewall's translation as match-set > src-ip-set src,src, which seems to be right, though I cannot get any > matches on that rule!
That's the correct translation so I don't know what Shorewall could do differently. > > 2. Shorewall allows for some, frankly, ridiculous combinations like > > DROP $FW:+[ip-set[src],ip-port-map[dst,dst]] > net:+[ip-set[dst],ip-port-map[src,src]] > > The above translates without error and produces matches, which are then > passed on to iptables (successfully!), though there is absolutely no > chance of the above rule producing any match. I have no idea if/how you > could stop this (or if you should bother!). Given that the sets need not even exist on the system where the compilation is being done, I don't believe that Shorewall should be in the business of trying to decide what combinations are reasonable and what aren't. > > On another note - as I compile my kernel manually (have introduced some > 'enhancements' of my own) I also compile and build xtables addons from > source. > > It turns out that, for some unknown reason, ipportiphash and > ipportnethash (supporting ip-port-ip and ip-port-net sets) is NOT built > in, though the source is compiled and .ko files are produced. When I try > to use these two maps (needed to go further with the testing) I get an > error saying these two maps are not supported. Bizarre! Are the modules being loaded? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
