> The attached patch corrects both issues. As I mentioned above, a 0x prefix is
> required if the device number is not numeric.
>
That, for me, partially works:
tcdevices:
1. 0A:eth0 is silently accepted (it gives an error only when it is used)
2. 0xA:eth0 - ERROR: Invalid interface NUMBER (0xA)
3. A:eth0 is silently accepted (the only way this interface could be
used is by referring to it by "eth0", otherwise it triggers an error)
I was unable to test the second part of this patch fully (it works when
the interface is referred to by its "native" name, i.e. "eth0:1"
triggers an error as expected, but I'd like to test this with the
aliases above to make sure).
4.
tcdevices:
A:eth0 - 100mbit classify,hfsc
[...]
tcclasses:
eth0:11 - 10*full/100:50ms 20*full/100 1 tcp-ack
[...]
Passes compilation, but triggers the following error:
shorewall[1566]: RTNETLINK answers: Invalid argument
shorewall[1566]: We have an error talking to the kernel
shorewall[1566]: ERROR: Command "tc filter add dev eth0 parent 10:0
protocol ip prio 266 u32 match ip protocol 6 0xff match u8 0x05 0x0f at
0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid a:11" Failed
Finally, I found what I think is ipsets syntax bug in shorewall. This is
what I tested in the rules file:
1. "ACCEPT:info $FW net:!+[my-host[src]],+ssh-host[dst] tcp" produces this:
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ~excl0 tcp -- * * 0.0.0.0/0
0.0.0.0/0
Chain ~excl0 (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 match-set my-host src
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 match-set ssh-host dst
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:fw2net:ACCEPT:'
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
If we are to accept that the above is correct, meaning "!" has an effect
on the whole line after the "!" sign I then have two more tests:
2. "ACCEPT:info $FW net:!+my-host[src],!+ssh-host[dst] tcp" produces
"ERROR: Invalid DEST network list (!+my-host[src],!+ssh-host[dst])" -
fair enough - it does not accept double negatives, though I think it should.
3. But then "ACCEPT:info $FW
net:!10.1.0.7,10.1.0.9,+[!my-host[src]],+[!ssh-host[dst]] tcp" produces
this:
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ~excl0 tcp -- * * 0.0.0.0/0
0.0.0.0/0 ! match-set my-host src
0 0 ~excl0 tcp -- * * 0.0.0.0/0
0.0.0.0/0 ! match-set ssh-host dst
Chain ~excl0 (2 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 0.0.0.0/0
10.1.0.7
0 0 RETURN all -- * * 0.0.0.0/0
10.1.0.9
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:fw2net:ACCEPT:'
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Which it shouldn't if we are to assume that 1 above is right!
So either 1, 2 or 3 above are wrong.
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
