On 03/08/2013 07:37 PM, Mr Dash Four wrote:
> I haven't tested this yet - just want to make sure that understand the
> whole thing.
>
> The purpose of DUPLICATE is to copy across all routes (incl. blackhole
> ones) for the specified INTERFACE to the new PROVIDER table, including
> also all routes for interfaces specified in the COPY column (the dash
> ("-") in DUPLICATE/COPY being a special case, so I won't deal with this
> scenario right now), is that right?Yes. > > If so, then by looking at your patch, if "none" is specified, then no > copy takes place (then, I assume the COPY *should* also contain "none", > right?). My patch allows 'none' in the COPY column when '-' appears in the DUPLICATE column. > However, if a value is specified (either a number or a name), > then that (existing) table is used as source. Have I got this right? Yes. > > If so, if the value specified in DUPLICATE is wrong (in other words, > that table isn't specified in "providers" and does not exist in > /etc/iproute2/rt_tables either), in which case shorewall can't copy > anything, then why not issue an error and stop processing? have I missed > anything? When compiling for export, the remote firewall's /etc/iproute2/rt_tables isn't available at compile time, so no check is possible in that case. Also, the /etc/iproute2/rt_tables file is shared by IPv4 and IPv6. Here's the one from my firewall: # # reserved values # 255 local 254 main 253 default 250 balance 0 unspec # # local # 1 ComcastB 2 ComcastC 3 TProxy 4 HE2 5 HE1 6 6to4 Tables 1 - 3 are IPv4 while tables 4-6 are IPv6. So if I place HE2 in the DUPLICATE column of /etc/shorewall/providers, a check against /etc/iproute2/rt_tables will succeed but no routes will ever be copied. So I still favor issuing a warning if the DUPLICATE column contains anything but '-', 'main' or a provider name/number that appears in an earlier entry. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
