Eric E. Bowles
2004-May-21 07:55 UTC
Mistyped parameter in "rules" being treated as physdev
Hi there, I noticed that a mistyped parameter variable in the "rules" file gets treated as a physdev in Shorewall 2.0.2b (and maybe earlier versions). So if you type ACCEPT net:SERVER fw tcp ssh instead of the correct ACCEPT net:$SERVER fw tcp ssh an Netfilter rule will be added where "SERVER" is treated as an interface name. Would it be possible to have Shorewall check for known interfaces (i.e., taken from the "interface" file) and flag this error? Thanks, --eric
Tom Eastep
2004-May-21 13:45 UTC
Re: Mistyped parameter in "rules" being treated as physdev
Eric E. Bowles wrote:> Hi there, > > I noticed that a mistyped parameter variable in the "rules" file > gets treated as a physdev in Shorewall 2.0.2b (and maybe earlier versions). > > So if you type > > ACCEPT net:SERVER fw tcp ssh > > instead of the correct > > ACCEPT net:$SERVER fw tcp ssh > > an Netfilter rule will be added where "SERVER" is treated as an > interface name. > > Would it be possible to have Shorewall check for known interfaces > (i.e., taken from the "interface" file) and flag this error?Not really. a) Shorewall doesn''t require interfaces to be present at the time that Shorewall starts. b) Bridge port interfaces are not defined to Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-May-21 13:48 UTC
Re: Mistyped parameter in "rules" being treated as physdev
Tom Eastep wrote:>> So if you type >> >> ACCEPT net:SERVER fw tcp ssh >> >> instead of the correct >> ACCEPT net:$SERVER fw tcp ssh >> >> an Netfilter rule will be added where "SERVER" is treated as an >> interface name. >> >> Would it be possible to have Shorewall check for known interfaces >> (i.e., taken from the "interface" file) and flag this error? > > > Not really. > > a) Shorewall doesn''t require interfaces to be present at the time that > Shorewall starts. > > b) Bridge port interfaces are not defined to Shorewall. >Hmmm -- possibly I spoke too soon. I suppose that when I''m parsing the hosts file that I could create a list of bridge port interfaces... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net