Trying to use some of the techniques explained on: http://shorewall.net/configuration_file_basics.htm
am I misunderstanding run-time address variables?
I have /etc/shorewall6/init:
INT_SRV_ALL_SRCS=$(ip -6 addr ls br-lan | sed -n -e '/fe80::/d' -e '/fd31:/d'
-e '/::1\/128/d' -e 's/::1\/[0-9]*/::2/g' -e '/ *inet6 /{s/ *inet6 \(.*\)
scope .*$/\1,/;H}' -e '${g;s/\n//g;s/,$//;p}')
INT_SRV_ALL_DSTS=loc:$INT_SRV_ALL_SRCS
To save you the trouble, the $() evaluates to a comma separated list of
addresses such as
2607:1234:5678:cd00::2,2001:5432:9876:6700::2,2001:bad:beef::2
I have in /etc/shorewall6/rules:
Auth/ACCEPT net &{INT_SRV_ALL_DSTS}
But when I try to compile I get:
Compiling /etc/shorewall6/gw-Reboot/rules...
ERROR: Unknown destination zone (&{INT_SRV_ALL_DSTS})
/usr/share/shorewall/macro.Auth (line 9)
from /etc/shorewall6/gw-Reboot/rules (line 83)
I have tried simplifying and assigning INT_SRV_ALL_DSTS directly with
the much more simple:
INT_SRV_ALL_DSTS=loc:2607:1234:5678:cd00::2,2001:5432:9876:6700::2,2001:bad:beef::2
but get the same error.
This is with shorewall-5.0.14.1.
It's probably obvious but the goal here is to push as much of the "what
is the current networking state -- IP addresses, gateways, etc." out to
the shorewall-lite machine and have the state evaluated at each policy
[re-]load so that it's much more flexible to networking configuration
changing.
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
