On 03/23/2013 05:53 PM, Mr Dash Four wrote: > >>> routes >>> ~~~~ >>> main 10.0.0.0/8 blackhole >>> main 10.0.0.0/8 prohibit >>> >>> generates: >>> >>> run_ip route add blackhole 10.0.0.0/8 table 254 >>> run_ip route add prohibit 10.0.0.0/8 table 254 >>> >>> That is not going to work (ip will complain that the route already >>> exists). A much cleaner solution to this would be if shorewall could >>> spot the overlap during compile time (don't know how doable that would >>> be), or, if that is not possible, to change "add" with replace, in which >>> case the latest route added will take precedence. >>> >> >> The attached patch replaces 'add' with 'replace'. >> > I don't like this very much, if I am being honest. Debugging ip tables > rules is hard enough, but tracing routing is even harder. Even though I > suggested the 'replace' solution, I was hoping that shorewall would be > able to get this checked at source, if possible. To me it doesn't > require anything sophisticated - an exact match (i.e. a string > comparison of sort) is only required. > > If a 'replace' instead of shorewall error-checking is adopted, then > identical routes will be swallowed silently and to then find what went > wrong (if it does) will be much harder.
Please see my later post which included a patch that implements duplicate destination detection. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
