Andrew Suffield wrote: > Wildcard lines in the interfaces file appear incompatible with the > routefilter option: > > afl eth2.+ detect dhcp,routefilter > > Gives this in the compiled script: > > if [ -f /proc/sys/net/ipv4/conf/eth2.+/rp_filter ]; then > echo 1 > /proc/sys/net/ipv4/conf/eth2.+/rp_filter > else > > Which will fail, obviously.
Yes -- I keep meaning to find the time to update the documentation to point out that this isn't intended to be supported. > > Also, the behaviour of the ROUTE_FILTER option is decidedly strange: > setting ROUTE_FILTER to 'yes' disables rp_filter on all interfaces > that don't have the routefilter option set in the interfaces > file. This is particularly annoying when combined with the above > problem. > > And I'm pretty sure that this is wrong: > > for f in /proc/sys/net/ipv4/conf/*; do > [ -f \$f/log_martians ] && echo 0 > \$f/rp_filter > done > > That should probably say 'rp_filter' and not 'log_martians'. While it should say 'rp_filter', that isn't the problem (in fact, changing 'log_martians' to 'rp_filter' won't change the behavior at all since if 'log_martians' exists, so does 'rp_filter'). What I believe the real problem lies is that the loop you quote shouldn't be executed if ROUTE_FILTER=Yes. See if the attached patch helps. It is against 3.9 Shorewall_shell but applies cleanly to the current 3.4 thread and with offset to the 3.2 thread. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Index: compiler
===================================================================
--- compiler (revision 5958)
+++ compiler (working copy)
@@ -3715,13 +3715,16 @@
save_progress_message "Setting up Route Filtering..."
- indent >&3 << __EOF__
+ if [ -z "$ROUTE_FILTER" ]; THEN
+ indent >&3 << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do
- [ -f \$f/log_martians ] && echo 0 > \$f/rp_filter
+ [ -f \$f/rp_filter ] && echo 0 > \$f/rp_filter
done
__EOF__
+ fi
+
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
@@ -3738,7 +3741,6 @@
if [ -n "$ROUTE_FILTER" ]; then
save_command "echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter"
- save_command "echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter"
fi
save_command "[ -n \"\$NOROUTES\" ] || ip route flush cache"
@@ -3754,13 +3756,16 @@
save_progress_message "Setting up Martian Logging..."
- indent >&3 << __EOF__
+ if [ -z "$LOG_MARTIANS" ]; then
+ indent >&3 << __EOF__
for f in /proc/sys/net/ipv4/conf/*; do
[ -f \$f/log_martians ] && echo 0 > \$f/log_martians
done
__EOF__
+ fi
+
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/log_martians
@@ -3774,9 +3779,10 @@
__EOF__
done
+ save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
+
if [ -n "$LOG_MARTIANS" ]; then
save_command "echo 1 > /proc/sys/net/ipv4/conf/default/log_martians"
- save_command "echo 1 > /proc/sys/net/ipv4/conf/all/log_martians"
fi
fi
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
