Eric E. Bowles
2003-Nov-05 22:11 UTC
[Shorewall-users] Bug? wildcard interfaces not accepted in fwd chain
Hi,
[Summary]
There seems to be a bug when using the "+" wildcard notation in the
interfaces file, in that rules are not generated in the fwd chain to
permit traffic going out an interface with a "+" in it.
[Details]
The interface entries:
loc tun0 detect routeback,newnotsyn
loc tun1 detect routeback,newnotsyn
loc tun2 detect routeback,newnotsyn
and
loc tun+ detect routeback,newnotsyn
do not seem to be equivalent because the latter won''t create a rule
in the "tun_fwd" chain allowing traffic between different tun
interfaces.
Explicitly specifying each tun interface (as in the former example) will
cause ACCEPT rules to be generated:
Chain tun0_fwd (1 references)
pkts bytes target prot opt in out source destination
...
0 0 ACCEPT all -- * tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * tun3 0.0.0.0/0 0.0.0.0/0
...
However, using the tun+ notation (as in the latter example) will not
generate any ACCEPT rules, despite the "routeback" option.
Furthermore, even if I add a policy of "loc loc ACCEPT", no rule will
be generated that permits traffic among tun+ interfaces.
This is the behavior as seen in Shorewall 1.4.6b, 1.4.7, 1.4.8.
Now with an older Shorewall 1.3.11, I do get the expected results (at
least when the "loc loc ACCEPT" policy is in place):
Chain tun_fwd (1 references)
pkts bytes target prot opt in out source destination
...
1417K 133M loc2loc all -- * tun+ 0.0.0.0/0 0.0.0.0/0
...
--eric
Possibly Parallel Threads
Wisdom of the Ancients
