On 12/20/2017 09:33 AM, Brian J. Murrell wrote: > Trying to use some of the techniques explained on: > > http://shorewall.net/configuration_file_basics.htm > > am I misunderstanding run-time address variables? > > I have /etc/shorewall6/init: > > INT_SRV_ALL_SRCS=$(ip -6 addr ls br-lan | sed -n -e '/fe80::/d' -e '/fd31:/d' > -e '/::1\/128/d' -e 's/::1\/[0-9]*/::2/g' -e '/ *inet6 /{s/ *inet6 \(.*\) > scope .*$/\1,/;H}' -e '${g;s/\n//g;s/,$//;p}') > INT_SRV_ALL_DSTS=loc:$INT_SRV_ALL_SRCS > > To save you the trouble, the $() evaluates to a comma separated list of > addresses such as > 2607:1234:5678:cd00::2,2001:5432:9876:6700::2,2001:bad:beef::2 > > I have in /etc/shorewall6/rules: > > Auth/ACCEPT net &{INT_SRV_ALL_DSTS} > > But when I try to compile I get: > > Compiling /etc/shorewall6/gw-Reboot/rules... > ERROR: Unknown destination zone (&{INT_SRV_ALL_DSTS}) > /usr/share/shorewall/macro.Auth (line 9) > from /etc/shorewall6/gw-Reboot/rules (line 83) > > I have tried simplifying and assigning INT_SRV_ALL_DSTS directly with > the much more simple: > > INT_SRV_ALL_DSTS=loc:2607:1234:5678:cd00::2,2001:5432:9876:6700::2,2001:bad:beef::2 > > but get the same error. > > This is with shorewall-5.0.14.1. > > It's probably obvious but the goal here is to push as much of the "what > is the current networking state -- IP addresses, gateways, etc." out to > the shorewall-lite machine and have the state evaluated at each policy > [re-]load so that it's much more flexible to networking configuration > changing. >
Two problems: a) You need to specify a destination zone; that's why you are getting the error. b) Once you fix that, you will still get an error because each runtime address variable may hold exactly *one* ip address. And given that this is IPv6, the variable must be enclosed in square brackets. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
