Tom, I know you said you were not going to do any more work with ipsets, so feel free to ignore this, but just for the historical record (somebody else might run across this and search) Shorewall[-perl 4.0.6] is rejecting the name of an ipset which the ipset command itself appears to like perfectly well: ERROR: Invalid ipset name (+brian-laptop) : /etc/shorewall/gw/hosts (line 134) The shorewall-hosts manpage doesn''t list any limitations on legal ipset names. Simply changing the RE in /usr/share/shorewall-perl/Shorewall/Zones.pm from /^\+[a-zA-Z]\w*$/ to /^\+[a-zA-Z][-\w]*$/ solves the problem. The same RE is used in /usr/share/shorewall-perl/Shorewall/Chains.pm for ipsets. Cheers, b. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Brian J. Murrell wrote:> Tom, > > I know you said you were not going to do any more work with ipsets, so > feel free to ignore this, but just for the historical record (somebody > else might run across this and search) Shorewall[-perl 4.0.6] is > rejecting the name of an ipset which the ipset command itself appears to > like perfectly well: > > ERROR: Invalid ipset name (+brian-laptop) : /etc/shorewall/gw/hosts (line 134) > > The shorewall-hosts manpage doesn''t list any limitations on legal ipset > names.From the Shorewall 4.0 release notes: h) Shorewall-perl insists that ipset names begin with a letter and be composed of alphanumeric characters and underscores (_). When used in a Shorewall configuration file, the name must be preceded by a plus sign (+) as with the shell-based compiler. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Mon, 2008-09-08 at 17:53 -0700, Tom Eastep wrote:> > From the Shorewall 4.0 release notes: > > h) Shorewall-perl insists that ipset names begin with a letter and > be composed of alphanumeric characters and underscores (_). When > used in a Shorewall configuration file, the name must be > preceded by a plus sign (+) as with the shell-based compiler.Oh, yes, release notes. Forgot about those. In any case, the fix I suggested seems to be working here. Any reason not to lift the limitation on ''-''? Certainly I could mangle the s/-/_/ in my learn script so that when a CN has a - in it, I use a _. b. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Brian J. Murrell wrote:> On Mon, 2008-09-08 at 17:53 -0700, Tom Eastep wrote: >> From the Shorewall 4.0 release notes: >> >> h) Shorewall-perl insists that ipset names begin with a letter and >> be composed of alphanumeric characters and underscores (_). When >> used in a Shorewall configuration file, the name must be >> preceded by a plus sign (+) as with the shell-based compiler. > > Oh, yes, release notes. Forgot about those. > > In any case, the fix I suggested seems to be working here. Any reason > not to lift the limitation on ''-''? Certainly I could mangle the s/-/_/ > in my learn script so that when a CN has a - in it, I use a _.I''m changing nothing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep wrote:> Brian J. Murrell wrote: >> On Mon, 2008-09-08 at 17:53 -0700, Tom Eastep wrote: >>> From the Shorewall 4.0 release notes: >>> >>> h) Shorewall-perl insists that ipset names begin with a letter and >>> be composed of alphanumeric characters and underscores (_). When >>> used in a Shorewall configuration file, the name must be >>> preceded by a plus sign (+) as with the shell-based compiler. >> >> Oh, yes, release notes. Forgot about those. >> >> In any case, the fix I suggested seems to be working here. Any reason >> not to lift the limitation on ''-''? Certainly I could mangle the s/-/_/ >> in my learn script so that when a CN has a - in it, I use a _. > > I''m changing nothing.First of all, I''m not anticipating any more 4.0 releases -- none. I just released Shorewall 4.2.0 RC2 -- I''m not making any changes to that release before FCS that are not clear bug fixes. So nothing is going to change before 4.2.0 FCS. And, as I''ve said before, I''m not going to change anything WRT ipsets so long as the Netfilter team reserves the right to withdraw the feature completely or to change it incompatibly in any way that they choose. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/