On 8/8/2017 1:34 AM, Tom Eastep wrote:
> It
> On 08/07/2017 03:35 PM, Matt Darfeuille wrote:
>> On 8/7/2017 10:51 PM, Tom Eastep wrote:
>>> On 08/07/2017 01:45 PM, Matt Darfeuille wrote:
>>>> Hi,
>>>> My net interface gets it's ip address dinamically asigned by a dhcp server.
>>>> Sometime I need that address for SNAT, DNAT rules and so on...
>>>> I use a variable throughout Shorewall that is defined in the params file.
>>>> Everytime that this ip change, I need to change it manually.
>>>> I'm currently testing the following to let Shorewall know about that new 
>>>> ip:
>>>> I have a script in /etc/dhcp/dhclient-exit-hooks that do:
>>>> case $reason in
>>>>     bound)
>>>>         echo $new_ip_address > /etc/shorewall/current_net_ip
>>>>         shorewall reload
>>>>         ;;
>>>> esac
>>>> then in /etc/shorewall/params:
>>>> CURRENT_NET_IP=$(cat /etc/shorewall/current_net_ip)
>>>> then I can use 'CURRENT_NET_Ip' throughout Shorewall.
>>>> I could clearly asign a fix address but for the sake of understanding...
>>>> Is there a better way to let shorewall know when my net interface gets a
>>>> new ip or fix address is the way to go?
>>> The best way is to use an address variable
>>> (http://www.shorewall.org/configuration_file_basics.htm#AddressVariables).
>>> You still need to use an exit-hook script though.
>> Can I use address variable in the DEST column of the rules file?
>> /etc/shorewall/init:
>> /etc/shorewall/rules.d/DNAT.rules:
>> $ shorewall check
>>    ERROR: Unknown Host (&{NEW_IP_ADDRESS})
>> /etc/shorewall/rules.d/DNAT.rules (line 14)
>>       from /etc/shorewall/rules (line 25)
>> in 
>> I'm tired so I could be rong!
> Address variables currently cannot be used in the DEST column of a DNAT
> rule. But to do what you want in that case, just use a REDIRECT rule.

Assuming I got my redirect rule right:


Rereading the docs, changing my configs and using the redirect rule as
you suggested I don't even need address variable.
Is it possible to expend address variable in a warning or info directives?:

?INFO New bound ip is &{NEW_IP_ADDRESS}

Thanks again for your help Tom.

Matt Darfeuille

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to