On May 14, 2011, at 9:14 PM, Tom Eastep wrote: >> >> 2. >> tcrules >> bb:12 $FW +[mickey-mouse,ip-port] tcp >> >> "shorewall check/compile" passes, but it fails when shorewall reload/restart >> is executed with "...Set mickey-mouse doesn't exist.". In other words, >> shorewall don't capture this error. I am not sure whether shorewall used to >> capture this before - i.e. the (non)existence of insets. > > Shorewall hasn't, doesn't and won't verify the existence of ipsets. Shorewall > rulesets can be compiled on one system and executed on another system running > shorewall-lite. Or, as you do, the /etc/shorewall/init file can create and > load ipsets that don't exist before the script runs. I'm sure that if the > Shorewall compiler generated a compile-time error or warning message about a > missing ipset, you would be on this list pointing out how stupid the product > is.
After thinking about this some more, it seems reasonable to issue a WARNING if: a) The compiler is being run by root (The 'inset' program requires that). b) The compilation is not generating a script to be run on a remote system. c) A named ipset does not exist on the local system. Patch attached. -Tom
MISSINGIPSET.patch
Description: Binary data
Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
