On 06/20/2017 11:21 PM, Norman Henderson wrote: > Thank you for this Tom. The "persistent" option is a good help, although > it has the side effect that on reload etc. Shorewall will try to > re-enable the provider, which is not desirable if it is flaky e.g. can > be enabled but won't pass traffic.
That isn't intentional. I'll take a look.
>
> The change of name from lsm to foolsm has created some issues, in my
> installation (just upgraded to 5.1.4.3) shorewall is still referring for
> example to start_lsm rather than start_foolsm. Worked around for now
> using start_lsm() { start_foolsm; } in lib.private.
lib.private is a user-supplied library. So, yes, you needed to change it
when lsm was renamed.
>
> Yes I see that I was incorrect, foolsm can in fact ping any address
> however, there is a statement somewhere that the source address for
> pings is always autodiscovered. If that is true, it isn't possible to
> ping from a determined interface except to an on-net address.
Not true -- you specify the interface, and the address is then
autodiscovered ON THAT INTERFACE.
>
> Adding a route for a specific target address doesn't seem like a very
> clean solution and creates other problems because the target address is
> not only for monitoring, it is also used to establish tunnels etc. and
> for those uses I need to be able to choose the "best" provider that is
> up. Furthermore that implies that I need a different target address for
> each provider, again not so good.
Any monitor that you use will have those restrictions.
>
> On the other hand, I see there is a "sourceip=" option in foolsm.conf,
> if that works then I should be OK. I am trying that but will have to
> wait for at least one of the flaky providers to come up again (!)
>
> Finally: the suggested eventscript for foolsm uses argument ${4} as the
> ${DEVICE} which is used for firewall enable / disable. I am seeing that
> when the script gets called that argument is null. I am using the
> ${NAME} instead for now, but any idea what might cause that?
>
Afraid not.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
