On 1/11/13 4:47 PM, Eric Horst wrote:
> We don't upgrade very often, today I'm going from 4.4.25.2 to
> 4.5.11.2. I've upgraded and am working through the "shorewall check"
> to ensure that our configs are compatible and fixing any changes. I've
> been through the docs and upgrade notes several times on this one.
>
> We have a single-interface firewall which is used to protect the
> firewall host only i.e. a host-based firewall. This is in use on about
> 600 servers.
>
> interfaces:
> - enet physical=+
>
> hosts:
> net enet:0.0.0.0/0
> uw enet:$N_ALL_UW_AFFILIATED
>
> zones:
> host firewall
> uw ipv4
> net ipv4
>
>
> This is the typical format of a rule in the rules file (included by a
> SHELL directive):
> ACCEPT uw:homer.u.washington.edu host 22
>
> After upgrading to 4.5.11.2 and running shorewall check I get this error:
> ERROR: Unknown Interface (homer.u.washington.edu)
> SHELL@/etc/shorewall/rules:17 (line 96)
> from /etc/shorewall/rules (line 17)
>
> This can be fixed by adding the interface name like this:
> ACCEPT uw:enet:ref.cac.washington.edu host 22
>
> Yet the docs imply that the interface is optional (by showing it in
> square brackets) as it always has in the past:
>
> SOURCE -
> {zone|zone-list[+]|{all|any}[+][-]}[:interface][:{address-or-range[,address-or-range]...[exclusion]|exclusion|+ipset|^countrycode-list}
>
> I don't really want to go through all our rules to add this and try to
> retrain all my people to remember to put it in since it's supposed to
> be optional. Did I not not read some recent change that made this
> non-optional? Or are there config elements that now cause it to be
> required?Here's a patch that will also be in 4.5.12. Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm
b/Shorewall/Perl/Shorewall/Chains.pm
index b50dd23..6c66fa8 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -6068,7 +6068,7 @@ sub isolate_source_interface( $ ) {
if ( $source =~ /^(.+?):(.+)$/ ) {
$iiface = $1;
$inets = $2;
- } elsif ( $source =~ /^!?(?:\+|&|~|%|\^|\d+\.)/ ) {
+ } elsif ( $source =~ /^!?(?:\+|&|~|%|\^|\d+\.|.+\..+\.)/ ) {
$inets = $source;
} else {
$iiface = $source;
@@ -6178,7 +6178,7 @@ sub isolate_dest_interface( $$$$ ) {
if ( $dest =~ /^(.+?):(.+)$/ ) {
$diface = $1;
$dnets = $2;
- } elsif ( $dest =~ /^!?(?:\+|&|%|~|\^|\d+\.)/ ) {
+ } elsif ( $dest =~ /^!?(?:\+|&|%|~|\^|\d+\.|.+\..+\.)/ ) {
$dnets = $dest;
} else {
$diface = $dest;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
