Hi there,
Shorewall 1.4.6b will emit an error message if you configure static
NAT entries (in the "nat" file) on an interface that has IPv6
addresses
assigned.
Here''s the error message from "shorewall restart":
[...]
Activating Rules...
Adding IP Addresses...
/usr/share/shorewall/firewall: line 244: 0 | fe80::20d:48ff:fe17:58 : syntax
error in expression (error token is "::20d:48ff:fe17:58 ")
/usr/share/shorewall/firewall: line 360: & -4294967296 : syntax error:
operand expected (error token is "& -4294967296 ")
IP Address 10.101.173.164 added to interface eth0
Here''s "ip addr show dev eth0":
4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:f3:02:cc:be brd ff:ff:ff:ff:ff:ff
inet 10.101.162.218/30 brd 219.101.162.219 scope global eth0
inet 10.101.173.164/32 scope global eth0
inet6 fe80::20d:48ff:fe17:58/64 scope link
The "nat" file entry looks like:
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
10.101.173.164 eth0 192.168.1.11 Yes Yes
The problem is that in the "firewall" script, there are several
instances
of "ip addr show $interface | grep inet", which incorrectly matches
IPv6
addresses in addition to any IPv4 addresses.
There are a couple of ways to restrict the match to just IPv4:
1. Add a "-w" argument (whole word match) to grep, i.e.,
ip addr show $interface | grep -w inet ...
~~
2. Use the "-f inet" (protocol family) argument whenever you call
"ip addr":
ip -f inet addr show $interface ...
~~~~~~~
Either modification will eliminate the syntax error message.
--eric