Steven Jan Springl wrote: > Tom > > I have just been doing some testing of NOTRACK and have come across a > discrepancy. > The NOTRACK manual page states that only addresses are allowed in the > DESTINATION column, while two shorewall compiler messages suggest that an > interface is also allowed. Additionally Shorewall allows an interface to be > coded, but then generates an invalid iptables rule. > > EG coding: > > lan:eth0 zzz > > produces the message: > > ERROR: Unknown interface (zzz) .... > > If I code both an interface and an IP address: > > lan:eth0 eth0:1.2.3.4 > > this produces the message: > > ERROR: DEST interface may not be specified with a destination IP address in > the PREROUTING chain ... > > If I then code a valid interface: > > lan:eth0 eth0 > > the following invalid rule is generated: > > -A lan_notrk -i eth0 -d ETH0_NETWORKS -j NOTRACK
Fixed by r9831. A destination interface name should actually work in the PREROUTING case but I despair of trying to explain the limitations to people. It is just easier to scare them off by telling them that it isn't allowed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
