>> routes >> ~~~~ >> main 10.0.0.0/8 blackhole >> main 10.0.0.0/8 prohibit >> >> generates: >> >> run_ip route add blackhole 10.0.0.0/8 table 254 >> run_ip route add prohibit 10.0.0.0/8 table 254 >> >> That is not going to work (ip will complain that the route already >> exists). A much cleaner solution to this would be if shorewall could >> spot the overlap during compile time (don't know how doable that would >> be), or, if that is not possible, to change "add" with replace, in which >> case the latest route added will take precedence. >> > > The attached patch replaces 'add' with 'replace'. > I don't like this very much, if I am being honest. Debugging ip tables rules is hard enough, but tracing routing is even harder. Even though I suggested the 'replace' solution, I was hoping that shorewall would be able to get this checked at source, if possible. To me it doesn't require anything sophisticated - an exact match (i.e. a string comparison of sort) is only required.
If a 'replace' instead of shorewall error-checking is adopted, then identical routes will be swallowed silently and to then find what went wrong (if it does) will be much harder. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
