On 5/7/11 9:59 AM, Mr Dash Four wrote: >> In *all* Shorewall configuration files, an interface name in the SOURCE >> column specifies the interface on which the traffic *enters* the >> firewall (-i option in iptables). >> > My point is that if a class is defined for a particular interface (as is > "a:11" in my case for eth0) this will ever produce only one match and > that is when this interface is involved, isn't that so?
No -- it will match traffic going to 10.1.1.1 out of *any* inteface. It
will only be useful if the traffic is going out of eth0. Attached is a
patch that interprets this rule:
a:11 - 10.1.1.1 tcp 22
as
a:11 - eth0:10.1.1.1 tcp 22
(assuming that eth0 == device a).
>>
>> And maybe someday when I'm desperately bored, I'll make such rules
>> automatically insert the appropriate -o clause in the generated rule.
Which is what the attached patch does.
>>
> Well, even with your suggestion I can't still make this to work unless I
> *manually* rearrange the insane rule shorewall places in tcpost (see my
> next post).
Your next post seems to whine about the Shorewall requirement that
interface names mentioned in SOURCE and DEST columns must be defined in
/etc/shorewall/interfaces. You can complain all you want but that isn't
going to change.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 528c894..e3d64bf 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -258,6 +258,12 @@ sub process_tc_rule( ) {
$originalmark = join( ':', normalize_hex( $mark ),
normalize_hex( $designator ) );
fatal_error "Unknown Class ($originalmark)}" unless ( $device =
$classids{$originalmark} );
fatal_error "IFB Classes may not be specified in tcrules" if
@{$tcdevices{$device}{redirected}};
+
+ if ( $dest eq '-' ) {
+ $dest = $device;
+ } elsif ( $dest !=~ /^\a/ ) {
+ $dest = join( ':', $device, $dest );
+ }
}
$chain = 'tcpost';
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
