Artur Uszyński wrote: > > I have several suggestions: > 1. the patches in the attachment (add provider match requirement), they > are for shorewall 4.0.3
I prefer the attached patch that expands a missing destination ( '-' ) to
0.0.0.0/0.
>
> 2. Maybe the procedure should be split up in two stages (two loops) -
> the first would delete rules and the second would add them ?
I don't think that's necessary with the attached patch.
>
> 3. Is that delete-before-add behaviour really needed ? Rule list seems
> to be cleaned up during shorewall start/restart/refresh anyway (by
> generated undo_routing script) ...
It's entirely possible that we can remove the 'delete-before-add' stuff now
that Shorewall tries to undo previous routing changes. But I don't want to
risk making such a change in a patch release. I'll do that in 4.2 however.
>
> 4. print a warning during (re)start when "-" is detected in DEST column
> ("Your routing rules may work improperly!") ;)
>
Again, I prefer the attached patch.
Thanks!
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Index: Shorewall/Providers.pm
===================================================================
--- Shorewall/Providers.pm (revision 7341)
+++ Shorewall/Providers.pm (working copy)
@@ -330,17 +330,25 @@
fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
- $dest = $dest eq '-' ? '' : "to $dest";
+ if ( $dest eq '-' ) {
+ $dest = 'to ' . ALLIPv4;
+ } else {
+ validate_net( $dest);
+ $dest = "to $dest";
+ }
+
if ( $source eq '-' ) {
- $source = '';
+ $source = 'to ' . ALLIPv4;
} elsif ( $source =~ /:/ ) {
( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
fatal_error "Invalid SOURCE" if defined $remainder;
+ validate_net ($source);
$source = "iif $interface from $source";
} elsif ( $source =~ /\..*\..*/ ) {
$source = "from $source";
} else {
+ validate_net ($source);
$source = "iif $source";
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
