I'm trying to deploy a remote policy with shorewall[6]-lite to a LEDE
17.01.4 router running shorewall[-lite] 5.1 from a host running
shorewall 5.0.

The problem is that on LEDE now, they supply a busy-box "ip" applet
which is not quite featured enough for shorewall:

Adding Providers...
ip: invalid argument '0x100/0xff00' to 'fwmark'
   ERROR: Command "ip -6 rule add fwmark 0x100/0xff00 pref 10000 table
1" Failed

The good news is that one can install a fully featured ip tool.

The problem is that the busybox one lives in /sbin/ip and the fully-
featured one lives in /usr/bin/ip.  By default shorewall[6][-lite] is
setting a PATH that puts /sbin/ before /usr/bin.  But that's almost
orthogonal because simply switching the PATH search order around could
just trigger another flavour of this problem.

So I see three solutions any number of which might exist already and I
just don't know about it.  One is to be able to tell shorewall[6] on
the host machine the path to the remote ip tool so that it uses a fully
qualified path for $IP.  Setting the IP variable in shorewall6.conf on
the host doesn't work as shorewall6 tries to find that path locally
instead of remotely:

$ shorewall6 remote-reload 10.75.22.253
      WARNING: ./shorewallrc does not exist; using settings from
/usr/share/shorewall
   ERROR: The program specified in IP (/usr/bin/ip) does not exist or
is not executable

Second solution is to be able to tell shorewall[6]-lite on the remote
the fully qualified path where ip is, but give how shorewall builds the
policy on the host, I'm not sure I can see how that would work.  And it
doesn't.

Third solution is that shorewall uses an enhanced version of it's
"mywhich" function to find the right ip tool.

In the short term though, is there any solution other than fiddling
with the remote $PATH, which I can do by setting it in shorewall6-
lite.conf on the remote, correct?

Cheers,
b.

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to