Hi.
After 'shorewall safe-restart' without confirmation shorewall runs .safe
script, which feeds iptables with .safe-iptables rules.
Unfortunately, there is a case, when it does not restore valid rules
(active before safe-restart), i.e. those with -g (--goto) instead of -j
(--jump).
These are being removed from iptables-save output (while creating
.safe-restart), I suppose that by the awk fragment (lib.cli):
#
# The 'awk' hack that compensates for bugs in iptables-save (or rather
in the extension modules).
#
iptablesbug()
{
if qt mywhich awk ; then
awk 'BEGIN { sline=""; };\
/^-j/ { print sline $0; next };\
/-m policy.*-j/ { print $0; next };\
/-m policy/ { sline=$0; next };\
/--mask ff/ { sub( /--mask ff/, "--mask 0xff" ) };\
{ print ; sline="" }'
else
echo " WARNING: You don't have 'awk' on this system so the
output of the save command may be unusable" >&2
cat
fi
}
My iptables-save output has a rule
-A eth2_fwd -s X.X.X.X/24 -m policy --dir in --pol ipsec -g AAA_frwd
I'm not sure: is this (as the comment in lib.cli says) bug in iptables'
module, or maybe in shorewall?
TIA,
Richard.
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
