I'm experimenting a problem using a dynamic zone
I defined long ago, and working without a problem
for months, with shorewall-core 4.5.21.9 under gentoo.
I'm using an "old style" dynamic zone defined by
ast:net ipv4
in the "zones" file and by
net net0 detect
in the "interfaces" file.
ipset, for what I can see, is correctly configured
at shorewall startup
Name: ast_net0
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16520
References: 12
But when I try to add any address to this zone, what
I get is "always" this error
shorewall add net0:x.y.w.z ast
ERROR: Zone ast, interface net0 does not have a dynamic host list
Remembering my configuration had been working for months I tried
to track down the problem in the shorewall scripts and I noticed
this "uncoditional sed command"
ipset=$(echo $ipset | sed 's/./_/g');
at line 1899, add_command() function, of the lib.cli shorewall-core 4.5.21.9
library.
Inserting just a couple of "echo debugging" lines
echo $ipset
ipset=$(echo $ipset | sed 's/./_/g');
echo $ipset
I had been able to get this output from the shorewall add command
shorewall add net0:x.y.w.z ast
ast
ast_net0
________
ERROR: Zone ast, interface net0 does not have a dynamic host list
where is easy to see the 'ipset' variable has been uncoditionally
translated from "ast_net0", apparently correct, to "underscores",
apparently plain wrong.
Commenting the "offending sed command line" what I got looks like
a correct execution of the "shorewall add command"
shorewall add net0:x.y.w.z ast
ast
ast_net0
ast_net0
x.y.w.z
Host net0:x.y.w.z added to zone ast
and the "x.y.w.z" address added to the correct ipset
Name: ast_net0
Type: hash:ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16520
References: 12
Members:
x.y.w.z
and to my "ast" dynamic zone for the "net0" interface
shorewall show dynamic ast
net0:
x.y.w.z
working without a flaw with with my firewall rules.
This "sed command lines", there is another one in the
delete_command() function, line 1989, had been addeded
to shorewall-core lib.cli library between version
4.5.21.5 and 4.5.21.6, here a diff of the two lib.cli
files
---
1549c1549
< do_dump_command $@ | dump_filter
---
> do_dump_command | dump_filter
1899,1900d1898
< ipset=$(echo $ipset | sed 's/./_/g');
<
1989,1990d1986
< ipset=$(echo $ipset | sed 's/./_/g');
<
3422c3418
< echo " dump [ -x ] [ -l ] [ -m ]"
---
> echo " dump [ -x ]"
justifying the fact I remember my configuration
working for months, before obserbing this weird
problem.
Switching to a "dynamic_shared" zone
ast:net ipv4 dynamic_shared
solve the problem, but I'm still curious to
understand what is going on here.
What the matter? A mistake in my configuration?
A "bug" introuced in version 4.5.21.6?
Thanks, G. Vitillaro.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
