Hi -
I have an issue in shorewall6 using a provider with the "local" option - the
intended use is ipv6 TPROXY for squid.
The providers entry is:
Squid 1 1 - lo - local
When starting shorewall6, the compiled rule attempts to a route for 0.0.0.0/0 -
however ip6tables rejects this as an invalid address.
Looking at Shorewall/Providers.pm, 0.0.0.0/0 is hardcoded as the global address.
I avoided the issue by adding an alternative Providers.pm with the address as
::0/0, and making the shorewall6 script refer to a copy of compiler.pl with
adjusted include path to prefer this version. This isn't particularly pretty as
a fix!
This was found on 4.4.17 (Debian wheezy's), but it looks to me like it is also
in 4.4.18-Beta1.
I don't know what the best proper fix would be. If this is an isolated example
of ipv4/ipv6 compatibility trouble, then perhaps the global address could be
supplied from the shorewall/shorewall6 scripts themselves, per the iptables
command. If it isn't, possibly a neater version of the include path selection I
used would be better. If there is a consensus, I could concoct an appropriate
patch.
Regards,
Dominic
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
