On 04/29/2013 09:26 AM, Dash Four wrote: > > Tom Eastep wrote: >>> Or maybe this: >>> >>> ?SET @chain $2 ? (($2 == 'caller') ? @caller : $2) : " " >>> >>> So that I keep the ability to set the chain to what I want to (different >>> from "@caller")? >>> >> >> This is the correct approach. @caller has been supported since Shorewall >> 4.5.13. >> >> Action variables and Shorewall variables are documented at >> http://www.shorewall.net/configuration_file_basics.htm#ActionVariables >> (and in the following section). >> > Yeah, I successfully implemented that over the weekend, thanks Tom. I > have a few more queries though (in addition to the "providers->track > option question" I posted on shorewall-users): > > 1. man shorewall-rtrules->PRIORITY: The explanation of this column makes > a reference to "ISP interface rules" in the context of priority numbers > 26000-26999: "...After ISP interface rules but before 'default' rule". > What is that, exactly? Could you clarify this definition please? Is this > the 'main' routing table?
I should reword that. 'ISP interface rules' are generated when 'loose' is not specified. Those rules cause traffic originating on the firewall to be routed to providers based on the source address. In other words, if the packet's SOURCE address is associated with a provider interface, then the packet should be routed out of that interface. > 2. The same man page->SOURCE: "Beginning with Shorewall 4.5.0, you may > specify &interface in this column to indicate that the source is the > primary IP address of the named interface". Again, what does that mean? > With "&interface", if used, I am "indicating" an interface, not a > "primary IP address", so how does that work then? See http://www.shorewall.net/configuration_file_basics.htm#AddressVariables. > 3. How do I add a "default" route in "routes"? You don't -- Shorewall generates the default routes based on the provider GATEWAY (specified or detected). > 4. Similar to 3 above: how do I add, say "10.1.7.0/24 dev eth0 proto > kernel scope link src 10.1.7.7 table dmz7" in routes (needed when a > device is brought up, but that route is normally placed in 'main' by the > OS)? The reason I ask this is because I have a rule based on this > interface source address (i.e. "ip rule add from 10.1.7.7 table dmz7") > so I need to have this rule in my dmz7 table, not 'main'. #PROVIDER DEST GATEWAY DEVICE dmz7 10.1.7.0/24 - eth0 Shorewall will choose the primary IP address of eth0 as the route source. It shouldn't be difficult to add a SOURCE column if that is needed, but I won't do that until 4.5.17. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
