Andrew Suffield wrote: > On Tue, Apr 17, 2007 at 07:33:17AM -0700, Tom Eastep wrote: >> Andrew Suffield wrote: >>> Wildcard lines in the interfaces file appear incompatible with the >>> routefilter option: >>> >>> afl eth2.+ detect dhcp,routefilter >>> >>> Gives this in the compiled script: >>> >>> if [ -f /proc/sys/net/ipv4/conf/eth2.+/rp_filter ]; then >>> echo 1 > /proc/sys/net/ipv4/conf/eth2.+/rp_filter >>> else >>> >>> Which will fail, obviously. >> Yes -- I keep meaning to find the time to update the documentation to point >> out that this isn't intended to be supported. > > Then I suggest it would be a better use of your time to make the > compiler reject it - that way, everybody who tries it will quickly > find out. I didn't even notice the warning message for ages.
I've made it an error in the Shorewall-perl compiler. As an aside, warnings are a lot easier to notice with VERBOSITY=0 in shorewall.conf. > >> What I believe the real problem lies is that the loop you quote shouldn't be >> executed if ROUTE_FILTER=Yes. See if the attached patch helps. > > That would make sense. I'll test it the next chance I get. > > I can see a related problem in any case where routefilter is used > somewhere - since it disables routefilter on *every* interface, but > then enables it on only those listed in the interfaces file, you're > still screwed if you have a wildcard line (shorewall will always turn > rp_filter off on those interfaces and you can't stop it). In Shorewall-perl 3.9.3, I've made all of these options work somewhat differently. a) You can specify the value you want (0 or 1; 1 is assumed if no value given) b) Only the settings of the interfaces that you specify an option for get that option's value changed. I think that will do more or less what you want (except for the wildcard thing). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
