On 11/14/2017 05:29 AM, Brian J. Murrell wrote: > I'm trying to deploy a remote policy with shorewall[6]-lite to a LEDE > 17.01.4 router running shorewall[-lite] 5.1 from a host running > shorewall 5.0. > > The problem is that on LEDE now, they supply a busy-box "ip" applet > which is not quite featured enough for shorewall: > > Adding Providers... > ip: invalid argument '0x100/0xff00' to 'fwmark' > ERROR: Command "ip -6 rule add fwmark 0x100/0xff00 pref 10000 table > 1" Failed > > The good news is that one can install a fully featured ip tool. > > The problem is that the busybox one lives in /sbin/ip and the fully- > featured one lives in /usr/bin/ip. By default shorewall[6][-lite] is > setting a PATH that puts /sbin/ before /usr/bin. But that's almost > orthogonal because simply switching the PATH search order around could > just trigger another flavour of this problem. > > So I see three solutions any number of which might exist already and I > just don't know about it. One is to be able to tell shorewall[6] on > the host machine the path to the remote ip tool so that it uses a fully > qualified path for $IP. Setting the IP variable in shorewall6.conf on > the host doesn't work as shorewall6 tries to find that path locally > instead of remotely: > > $ shorewall6 remote-reload 10.75.22.253 > WARNING: ./shorewallrc does not exist; using settings from > /usr/share/shorewall > ERROR: The program specified in IP (/usr/bin/ip) does not exist or > is not executable > > Second solution is to be able to tell shorewall[6]-lite on the remote > the fully qualified path where ip is, but give how shorewall builds the > policy on the host, I'm not sure I can see how that would work. And it > doesn't. > > Third solution is that shorewall uses an enhanced version of it's > "mywhich" function to find the right ip tool. > > In the short term though, is there any solution other than fiddling > with the remote $PATH, which I can do by setting it in shorewall6- > lite.conf on the remote, correct?
The attached patch will allow you to specify IP (and SHOREWALL-SHELL) in
the remote firewall's shorewall6.conf file.
patch /usr/share/shorewall/lib.cli-std < IP.patch
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std
index f425381ce..f7ab9b8e1 100644
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -211,30 +211,32 @@ get_config() {
LOG_VERBOSITY=-1
fi
- if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
- if [ ! -x "$SHOREWALL_SHELL" ]; then
- echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
- SHOREWALL_SHELL=/bin/sh
+ if [ -z "$g_export" -a "$(id -u)" = 0 ]; then
+ if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
+ if [ ! -x "$SHOREWALL_SHELL" ]; then
+ echo " WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
+ SHOREWALL_SHELL=/bin/sh
+ fi
fi
- fi
- if [ -n "$IP" ]; then
- case "$IP" in
- */*)
- if [ ! -x "$IP" ] ; then
- fatal_error "The program specified in IP ($IP) does not exist or is not executable"
- fi
- ;;
- *)
- prog="$(mywhich $IP 2> /dev/null)"
- if [ -z "$prog" ] ; then
- fatal_error "Can't find $IP executable"
- fi
- IP=$prog
- ;;
- esac
- else
- IP='ip'
+ if [ -n "$IP" ]; then
+ case "$IP" in
+ */*)
+ if [ ! -x "$IP" ] ; then
+ fatal_error "The program specified in IP ($IP) does not exist or is not executable"
+ fi
+ ;;
+ *)
+ prog="$(mywhich $IP 2> /dev/null)"
+ if [ -z "$prog" ] ; then
+ fatal_error "Can't find $IP executable"
+ fi
+ IP=$prog
+ ;;
+ esac
+ else
+ IP='ip'
+ fi
fi
case $VERBOSITY in
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
