On 7/19/2014 3:47 PM, Thomas D. wrote: > Hi, > > Tom Eastep wrote: >>> Yes -- I have reproduced it. >> >> And I have come up with a *much* simpler patch. > > Good job! > > I have verified that IPSET6b.patch is still working with linux kernel > 3.10.49, 3.4.13 and 3.15.6! > > > But I don't understand the patch. For me it looks like you only switched > the > >> qt( "$ipset -N $sillyname iphash" ) > > test with the > >> qt( "$ipset -N $sillyname hash:ip family $fam") > > test. > > I don't understand why that's make the difference because these tests > are connected with "||". If you have time it would be glad if you could > explain why testing for "hash:ip" first fixes the problem although the > two tests are OR-connected.
Perl implements 'early out' when evaluating boolean expressions. That means that it only evaluates terms in the expression until the final value is determined. In the case of (a || b), if 'a' evaluates to true then 'b' is not evaluated. The term qt( "$ipset -N $sillyname iphash" ) always evaluates to true and creates an ipv4 ipset. Prior to the 3.14 kernels, ip6tables commands could use the created ipset in '-m set --match-set' clauses without error (even though there would never be a match). Beginning with 3.14, the address family of the ipset was checked an an error is generated: root@jessie:~# ipset -N foo iphash root@jessie:~# ip6tables -N foo root@jessie:~# ip6tables -A foo -m set --match-set foo src ip6tables v1.4.21: The protocol family of set foo is IPv4, which is not applicable. Try `ip6tables -h' or 'ip6tables --help' for more information. root@jessie:~# This caused the failure. By reversing the order of the terms, an ipv6 ipset is created (if supported) and the ip6tables command succeeds. > > > PS: If you commit it this patch, you may want to add a missing space: > >> if ( qt( "$ipset -N $sillyname hash:ip family $fam") [...] Thanks! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
