On 8/8/2017 11:25 PM, Tom Eastep wrote: > On 08/08/2017 11:06 AM, Matt Darfeuille wrote: >> On 8/8/2017 1:34 AM, Tom Eastep wrote: >>> It >>> On 08/07/2017 03:35 PM, Matt Darfeuille wrote: >>>> >>>> >>>> On 8/7/2017 10:51 PM, Tom Eastep wrote: >>>>> On 08/07/2017 01:45 PM, Matt Darfeuille wrote: >>>>>> Hi, >>>>>> >>>>>> My net interface gets it's ip address dinamically asigned by a dhcp >>>>>> server. >>>>>> Sometime I need that address for SNAT, DNAT rules and so on... >>>>>> I use a variable throughout Shorewall that is defined in the params file. >>>>>> Everytime that this ip change, I need to change it manually. >>>>>> >>>>>> I'm currently testing the following to let Shorewall know about that new >>>>>> ip: >>>>>> >>>>>> I have a script in /etc/dhcp/dhclient-exit-hooks that do: >>>>>> >>>>>> case $reason in >>>>>> bound) >>>>>> echo $new_ip_address > /etc/shorewall/current_net_ip >>>>>> shorewall reload >>>>>> ;; >>>>>> esac >>>>>> >>>>>> then in /etc/shorewall/params: >>>>>> >>>>>> CURRENT_NET_IP=$(cat /etc/shorewall/current_net_ip) >>>>>> >>>>>> then I can use 'CURRENT_NET_Ip' throughout Shorewall. >>>>>> >>>>>> I could clearly asign a fix address but for the sake of understanding... >>>>>> Is there a better way to let shorewall know when my net interface gets a >>>>>> new ip or fix address is the way to go? >>>>> >>>>> The best way is to use an address variable >>>>> (http://www.shorewall.org/configuration_file_basics.htm#AddressVariables). >>>>> You still need to use an exit-hook script though. >>>>> >>>> >>>> Can I use address variable in the DEST column of the rules file? >>>> >>>> /etc/shorewall/init: >>>> >>>> NEW_IP_ADDRESS=<IP-ADDRESS> >>>> >>>> /etc/shorewall/rules.d/DNAT.rules: >>>> >>>> DNAT net:$REMOTE_MANAGEMENT_IP $FW:&{NEW_IP_ADDRESS} tcp 22 >>>> >>>> $ shorewall check >>>> >>>> ERROR: Unknown Host (&{NEW_IP_ADDRESS}) >>>> /etc/shorewall/rules.d/DNAT.rules (line 14) >>>> from /etc/shorewall/rules (line 25) >>>> in >>>> I'm tired so I could be rong! >>> >>> Address variables currently cannot be used in the DEST column of a DNAT >>> rule. But to do what you want in that case, just use a REDIRECT rule. >>>
Thanks Tom for implementing that in 5.1.6-RC1! If I have the following in the rules file: DNAT net:$REMOTE_MANAGEMENT_IP $FW:&enp1s0 tcp 22 I get the following: Aug 14 14:43:47 ERROR: Can't determine the IP address of enp1s0 What do you recommend?: - Keeping what I'm currently doing (echo the ip to a file then cat that file). - Delay the start of shorewall. - An other approach. >> >> Assuming I got my redirect rule right: >> >> REDIRECT net:$REMOTE_MANAGEMENT_IP 22 tcp >> >> Rereading the docs, changing my configs and using the redirect rule as >> you suggested I don't even need address variable. >> Is it possible to expend address variable in a warning or info directives?: >> >> ?INFO New bound ip is &{NEW_IP_ADDRESS} >> > > No, because the value of an address variable is determined at run-time > while the ?INFO and ?WARNING directives are processed at compile-time. > Finally got it! :) -Matt -- Matt Darfeuille ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users