On Tue, 2011-07-05 at 15:41 +0100, Steven Jan Springl wrote:
> Whilst getting information to report the issue, I have been looking at > lib.cli. > > shorewall/lib.cli contains: > > if [ -n "$have_ipset" ]; then > if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then > qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT > IPSET_MATCH=Yes > elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then > qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT > IPSET_MATCH=Yes > OLD_IPSET_MATCH=Yes > fi > qt ipset -X $chain > fi > > shorewall6/lib.cli contains: > > if qt ipset -N $chain hash:ip family inet6; then > IPSET_V5=Yes > if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then > qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT > IPSET_MATCH=Yes > elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then > qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT > IPSET_MATCH=Yes > OLD_IPSET_MATCH=Yes > fi > qt ipset -X $chain > fi > > shorewall/lib.cli tries "-m set --match-set" then "-m set --set" but > shorewall6/lib/cli tries "-m set --set" twice. > Is this correct? No, although It probably isn't an observable defect since I don't believe that ip6tables has ever supported only the old syntax. At any rate, the attached patch should implement the correct behavior. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli
index 31ad6c0..08e4bc7 100644
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -1670,8 +1670,8 @@ determine_capabilities() {
if qt ipset -N $chain hash:ip family inet6; then
IPSET_V5=Yes
- if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
- qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
+ if qt $IP6TABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
+ qt $IP6TABLES -D $chain -m set --match-set $chain src -j ACCEPT
IPSET_MATCH=Yes
elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
