On Tue, Apr 17, 2007 at 07:33:17AM -0700, Tom Eastep wrote: > Andrew Suffield wrote: > > Wildcard lines in the interfaces file appear incompatible with the > > routefilter option: > > > > afl eth2.+ detect dhcp,routefilter > > > > Gives this in the compiled script: > > > > if [ -f /proc/sys/net/ipv4/conf/eth2.+/rp_filter ]; then > > echo 1 > /proc/sys/net/ipv4/conf/eth2.+/rp_filter > > else > > > > Which will fail, obviously. > > Yes -- I keep meaning to find the time to update the documentation to point > out that this isn't intended to be supported.
Then I suggest it would be a better use of your time to make the compiler reject it - that way, everybody who tries it will quickly find out. I didn't even notice the warning message for ages. > What I believe the real problem lies is that the loop you quote shouldn't be > executed if ROUTE_FILTER=Yes. See if the attached patch helps. That would make sense. I'll test it the next chance I get. I can see a related problem in any case where routefilter is used somewhere - since it disables routefilter on *every* interface, but then enables it on only those listed in the interfaces file, you're still screwed if you have a wildcard line (shorewall will always turn rp_filter off on those interfaces and you can't stop it). My solution has been to stop using routefilter entirely, and set rp_filter myself; it doesn't seem to fit shorewall's configuration model very well, probably because it's a routing thing and not a netfilter thing. There's no particular reason to expect that the set of non-wildcard things in the interfaces file will correspond to the places where you want rp_filter set. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
