Re: [Shorewall-users] tcfilters with +ipset in DEST column

Tue, 22 Jul 2014 07:44:27 -0700 

On 7/22/2014 7:06 AM, Tom Eastep wrote:
> On 7/22/2014 3:11 AM, Alan Barrett wrote:
>> I am trying to use an ipset in the DEST column in the tcfilters file,
>> like this:
>>
>> #CLASS  SOURCE  DEST    PROTO   DPORT   SPORT   TOS     LENGTH  PRIO
>>
>> 2:100   0.0.0.0 +fast
>> 2:200   0.0.0.0 +slow
>>
>> where "fast" and "slow" are ipsets that contain IP addresses that
>> should get special treatment.  However, I get errors like this:
>>
>> Compiling /etc/shorewall/tcfilters...
>> IN===> 2:100    0.0.0.0 +fast
>>    ERROR: An ipset name (+fast) is not allowed in this context 
>> /etc/shorewall/tcfilters (line 16) at 
>> /usr/share/shorewall/Shorewall/Config.pm line 1348.
>>         Shorewall::Config::fatal_error('An ipset name (+fast) is not allowed 
>> in this context') called at /usr/share/shorewall/Shorewall/IPAddrs.pm line 
>> 216
>>         Shorewall::IPAddrs::validate_4net('+fast', 0) called at 
>> /usr/share/shorewall/Shorewall/IPAddrs.pm line 878
>>         Shorewall::IPAddrs::validate_net('+fast', 0) called at 
>> /usr/share/shorewall/Shorewall/IPAddrs.pm line 302
>>         Shorewall::IPAddrs::decompose_net('+fast') called at 
>> /usr/share/shorewall/Shorewall/Tc.pm line 2023
>>         Shorewall::Tc::process_tc_filter1('2:100', 0.0.0.0, '+fast', '-', 
>> '-', '-', '-', '-', '-', ...) called at /usr/share/shorewall/Shorewall/Tc.pm 
>> line 2561
>>         Shorewall::Tc::process_tc_filter() called at 
>> /usr/share/shorewall/Shorewall/Tc.pm line 2579
>>         Shorewall::Tc::process_tcfilters() called at 
>> /usr/share/shorewall/Shorewall/Tc.pm line 2752
>>         Shorewall::Tc::process_traffic_shaping() called at 
>> /usr/share/shorewall/Shorewall/Tc.pm line 3003
>>         Shorewall::Tc::process_tc() called at 
>> /usr/share/shorewall/Shorewall/Compiler.pm line 774
>>         Shorewall::Compiler::compiler('script', 
>> '/var/lib/shorewall/.restart', 'directory', '', 'verbosity', 1, 'timestamp', 
>> 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl line 152
>>
> 
> Have you set BASIC_FILTERS=Yes in shorewall.conf?
> 

I have updated the tcfilters manpages to mention this requirement.
Apologies for the previous oversight.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to