Shorewall Geek wrote:
> Niedermeier Günter wrote:
>> Hi,
>>
>> usually my shorewall inst. uses compiler=perl.
>>
>> While some tests I changed my config to compiler=shell, and in this case
>> I get an error like this:
>>
>> --------------------------------------------------------
>>
>> Setting up TCP Flags checking...
>> iptables v1.3.8: host/network `169.254.0.0/16!169.254.1.0' not found
>> Try `iptables -h' or 'iptables --help' for more information.
>> ERROR: Command "/usr/sbin/iptables -A eth2_fwd -p tcp -s
>> 169.254.0.0/16!169.254.1.0/24 -j tcpflags" Failed
>> Processing /etc/shorewall/stop ...
>> IP Forwarding Enabled
>> Processing /etc/shorewall/stopped ...
>> /sbin/shorewall: line 742: 9333 Terminated
>> $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
>
> There are many bugs like this in Shorewall shell -- that's one of the
> primary reasons that we developed Shorewall Perl. I would not be
> surprised if many of the options available in /etc/shorewall/hosts blow
> up when the host groups has exclusion.
As it turns out, Shorewall-perl is ignoring the exclusion when
generating rules for these OPTIONS:
blacklist
maclist
norfc1918
tcpflags
That will be corrected in 4.2.4. I've also documented that exclusion
with any of these options is broken when using Shorewall-shell as
Guenter has reported. I'll accept a patch for that if anyone is
interested in writing and testing one.
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
