Re: [Shorewall-users] tcfilters with +ipset in DEST column

Tue, 22 Jul 2014 07:19:46 -0700 

On 7/22/2014 3:11 AM, Alan Barrett wrote:
> I am trying to use an ipset in the DEST column in the tcfilters file,
> like this:
> 
> #CLASS  SOURCE  DEST    PROTO   DPORT   SPORT   TOS     LENGTH  PRIO
> 
> 2:100   0.0.0.0 +fast
> 2:200   0.0.0.0 +slow
> 
> where "fast" and "slow" are ipsets that contain IP addresses that
> should get special treatment.  However, I get errors like this:
> 
> Compiling /etc/shorewall/tcfilters...
> IN===> 2:100    0.0.0.0 +fast
>    ERROR: An ipset name (+fast) is not allowed in this context 
> /etc/shorewall/tcfilters (line 16) at 
> /usr/share/shorewall/Shorewall/Config.pm line 1348.
>         Shorewall::Config::fatal_error('An ipset name (+fast) is not allowed 
> in this context') called at /usr/share/shorewall/Shorewall/IPAddrs.pm line 216
>         Shorewall::IPAddrs::validate_4net('+fast', 0) called at 
> /usr/share/shorewall/Shorewall/IPAddrs.pm line 878
>         Shorewall::IPAddrs::validate_net('+fast', 0) called at 
> /usr/share/shorewall/Shorewall/IPAddrs.pm line 302
>         Shorewall::IPAddrs::decompose_net('+fast') called at 
> /usr/share/shorewall/Shorewall/Tc.pm line 2023
>         Shorewall::Tc::process_tc_filter1('2:100', 0.0.0.0, '+fast', '-', 
> '-', '-', '-', '-', '-', ...) called at /usr/share/shorewall/Shorewall/Tc.pm 
> line 2561
>         Shorewall::Tc::process_tc_filter() called at 
> /usr/share/shorewall/Shorewall/Tc.pm line 2579
>         Shorewall::Tc::process_tcfilters() called at 
> /usr/share/shorewall/Shorewall/Tc.pm line 2752
>         Shorewall::Tc::process_traffic_shaping() called at 
> /usr/share/shorewall/Shorewall/Tc.pm line 3003
>         Shorewall::Tc::process_tc() called at 
> /usr/share/shorewall/Shorewall/Compiler.pm line 774
>         Shorewall::Compiler::compiler('script', 
> '/var/lib/shorewall/.restart', 'directory', '', 'verbosity', 1, 'timestamp', 
> 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl line 152
> 

Have you set BASIC_FILTERS=Yes in shorewall.conf?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to