[Shorewall-devel] shorewall6/hosts documentation and regexp

Fri, 11 Nov 2016 04:29:38 -0800 

hi,

I found that the documentation from 

http://www.shorewall.net/manpages6/shorewall6-hosts.html

is either a bit misleading or I cannot english enough.

"
The name of an interface defined in the shorewall6-interfaces(5) file followed 
by a colon (":") and a comma-separated list whose elements are either:

a. The IPv6 address of a host.
"

I tried modifying the shorewall6/hosts file in different ways, like
vpni        eth0:::/0                    mss=1300
vpni        eth0:2001:4d81:0:1::/64      mss=1300
vpni        eth0:2001:4d81:0:1:141::2    mss=1300
vpni        eth0:,2001:4d81:0:1:141::2   mss=1300

but they generate errors like
   ERROR: Invalid HOST(S) column contents: eth0:2001:4d81:0:1:141::2 
/etc/shorewall6/hosts (line 12)

looking closer into Shorewall/Zones.pm, the parsing function looks like this:


    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
          $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
          $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
          $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
          $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
    $interface = $1;
    $hosts = $2;
    } else {
        fatal_error "Invalid HOST(S) column contents: $hosts"
    }

I can't see the regexp that would take an interface followed by : and an ipv6

my rule was accepted if written like 
vpni        eth0:<::/0>          mss=1300
or
vpni        eth0[::/0]           mss=1300

but none of these is covered in the manual page referenced above.

I am using shorewall-5.0.11 (latest stable version available in gentoo)

so is there an error in the manual or in the code that does the parsing?
more importantly which syntax is considered to be more future-proof as far as 
shorewall is concerned?

cheers,
peter

-- 
petre rodan

Attachment: signature.asc
Description: PGP signature

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to