I have a tcrules definition as follows: 1 $FW 0.0.0.0/0 all - - when I run this, shorewall fails - the debug error is: + iptables -t mangle -A tcfor -s 0.0.0.0/0 -d fw -j MARK --set-mark 1 iptables v1.2.5: host/network `fw'' not found The help text at the top of tcrules says to use the $FW variable, so what am I missing? -Chris
--On Tuesday, March 11, 2003 06:22:45 PM -0800 Chris Petersen <lists@forevermore.net> wrote:> I have a tcrules definition as follows: > > 1 $FW 0.0.0.0/0 all - - > > when I run this, shorewall fails - the debug error is: > > + iptables -t mangle -A tcfor -s 0.0.0.0/0 -d fw -j MARK --set-mark 1 > iptables v1.2.5: host/network `fw'' not found > > The help text at the top of tcrules says to use the $FW variable, so > what am I missing? >More importantly, what Shorewall version are you running? I can''t reproduce the problem using 1.4.0-RC3 and I haven''t changed any of that code in months... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Tuesday, March 11, 2003 06:33:33 PM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > More importantly, what Shorewall version are you running? I can''t > reproduce the problem using 1.4.0-RC3 and I haven''t changed any of that > code in months... >Also, what shell do you have in /bin/sh? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> > I have a tcrules definition as follows: > > > > 1 $FW 0.0.0.0/0 all - - > > > > when I run this, shorewall fails - the debug error is: > > > > + iptables -t mangle -A tcfor -s 0.0.0.0/0 -d fw -j MARK --set-mark 1 > > iptables v1.2.5: host/network `fw'' not found > > > > The help text at the top of tcrules says to use the $FW variable, so > > what am I missing? > More importantly, what Shorewall version are you running? I can''t reproduce > the problem using 1.4.0-RC3 and I haven''t changed any of that code in > months.../bin/sh == /bin/bash shorewall version = 1.3.12 though if you''ll notice, the $FW is getting interpreted just fine by the shell. It also works fine for all of my other rules (/etc/shorewall/rules, mostly) Perhaps I''ll just upgrade to 1.4 and see how that goes - I was going to wait for the final release, but I guess I can upgrade a week or so early. -Chris
--On Tuesday, March 11, 2003 11:26:31 PM -0800 Chris Petersen <lists@forevermore.net> wrote:> > /bin/sh == /bin/bash > shorewall version = 1.3.12 > > though if you''ll notice, the $FW is getting interpreted just fine by the > shell. It also works fine for all of my other rules > (/etc/shorewall/rules, mostly) > > > Perhaps I''ll just upgrade to 1.4 and see how that goes - I was going to > wait for the final release, but I guess I can upgrade a week or so > early.I can''t can''t how that is going to make any difference. Here is the code: add_a_tc_rule() { r chain=$marking_chain if [ "x$source" != "x-" ]; then case $source in *.*.*) r="-s $source " ;; ~*) r=`mac_match $source` ;; $FW) chain=tcout ;; *) if ! list_search $source $all_interfaces; then fatal_error "Error: Unknown interface $source" fi r="-i $source " ;; esac fi [ "x$dest" = "x-" ] || r="${r}-d $dest " [ "$proto" = "all" ] || r="${r}-p $proto " [ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$sport" = "x-" ] || r="${r}--sport $sport " run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark } That code is the same in 1.3.12 and 1.4.0. According to your debugging info, the iptables command at the end is: iptables -t mangle -A tcfor -s 0.0.0.0/0 -d fw -j MARK --set-mark 1 That means that: chain = tcfor source = 0.0.0.0/0 dest = fw ($FW)>From that information, I would have said that the rule you have coded wouldbe: 1 0.0.0.0/0 $FW all Yet you claim that the rule is: 1 $FW 0 .0.0.0/0 all ????????? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Wednesday, March 12, 2003 06:26:37 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > I can''t can''t how that is going to make any difference. Here is the code: >Hmmm - and I can''t type this morning either... s/b "I can''t see how..." -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net