Wildcard lines in the interfaces file appear incompatible with the
routefilter option:
afl eth2.+ detect dhcp,routefilter
Gives this in the compiled script:
if [ -f /proc/sys/net/ipv4/conf/eth2.+/rp_filter ]; then
echo 1 > /proc/sys/net/ipv4/conf/eth2.+/rp_filter
else
Which will fail, obviously.
Also, the behaviour of the ROUTE_FILTER option is decidedly strange:
setting ROUTE_FILTER to ''yes'' disables rp_filter on all
interfaces
that don''t have the routefilter option set in the interfaces
file. This is particularly annoying when combined with the above
problem.
And I''m pretty sure that this is wrong:
for f in /proc/sys/net/ipv4/conf/*; do
[ -f \$f/log_martians ] && echo 0 > \$f/rp_filter
done
That should probably say ''rp_filter'' and not
''log_martians''.
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Andrew Suffield wrote:> Wildcard lines in the interfaces file appear incompatible with the > routefilter option: > > afl eth2.+ detect dhcp,routefilter > > Gives this in the compiled script: > > if [ -f /proc/sys/net/ipv4/conf/eth2.+/rp_filter ]; then > echo 1 > /proc/sys/net/ipv4/conf/eth2.+/rp_filter > else > > Which will fail, obviously.Yes -- I keep meaning to find the time to update the documentation to point out that this isn''t intended to be supported.> > Also, the behaviour of the ROUTE_FILTER option is decidedly strange: > setting ROUTE_FILTER to ''yes'' disables rp_filter on all interfaces > that don''t have the routefilter option set in the interfaces > file. This is particularly annoying when combined with the above > problem. > > And I''m pretty sure that this is wrong: > > for f in /proc/sys/net/ipv4/conf/*; do > [ -f \$f/log_martians ] && echo 0 > \$f/rp_filter > done > > That should probably say ''rp_filter'' and not ''log_martians''.While it should say ''rp_filter'', that isn''t the problem (in fact, changing ''log_martians'' to ''rp_filter'' won''t change the behavior at all since if ''log_martians'' exists, so does ''rp_filter''). What I believe the real problem lies is that the loop you quote shouldn''t be executed if ROUTE_FILTER=Yes. See if the attached patch helps. It is against 3.9 Shorewall_shell but applies cleanly to the current 3.4 thread and with offset to the 3.2 thread. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> > Index: compiler > ==================================================================> --- compiler (revision 5958) > +++ compiler (working copy) > @@ -3715,13 +3715,16 @@ > > save_progress_message "Setting up Route Filtering..." > > - indent >&3 << __EOF__ > + if [ -z "$ROUTE_FILTER" ]; THENClearly, ''THEN'' s/b ''then'' -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On Tue, Apr 17, 2007 at 07:33:17AM -0700, Tom Eastep wrote:> Andrew Suffield wrote: > > Wildcard lines in the interfaces file appear incompatible with the > > routefilter option: > > > > afl eth2.+ detect dhcp,routefilter > > > > Gives this in the compiled script: > > > > if [ -f /proc/sys/net/ipv4/conf/eth2.+/rp_filter ]; then > > echo 1 > /proc/sys/net/ipv4/conf/eth2.+/rp_filter > > else > > > > Which will fail, obviously. > > Yes -- I keep meaning to find the time to update the documentation to point > out that this isn''t intended to be supported.Then I suggest it would be a better use of your time to make the compiler reject it - that way, everybody who tries it will quickly find out. I didn''t even notice the warning message for ages.> What I believe the real problem lies is that the loop you quote shouldn''t be > executed if ROUTE_FILTER=Yes. See if the attached patch helps.That would make sense. I''ll test it the next chance I get. I can see a related problem in any case where routefilter is used somewhere - since it disables routefilter on *every* interface, but then enables it on only those listed in the interfaces file, you''re still screwed if you have a wildcard line (shorewall will always turn rp_filter off on those interfaces and you can''t stop it). My solution has been to stop using routefilter entirely, and set rp_filter myself; it doesn''t seem to fit shorewall''s configuration model very well, probably because it''s a routing thing and not a netfilter thing. There''s no particular reason to expect that the set of non-wildcard things in the interfaces file will correspond to the places where you want rp_filter set. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Andrew Suffield wrote:> On Tue, Apr 17, 2007 at 07:33:17AM -0700, Tom Eastep wrote: >> Andrew Suffield wrote: >>> Wildcard lines in the interfaces file appear incompatible with the >>> routefilter option: >>> >>> afl eth2.+ detect dhcp,routefilter >>> >>> Gives this in the compiled script: >>> >>> if [ -f /proc/sys/net/ipv4/conf/eth2.+/rp_filter ]; then >>> echo 1 > /proc/sys/net/ipv4/conf/eth2.+/rp_filter >>> else >>> >>> Which will fail, obviously. >> Yes -- I keep meaning to find the time to update the documentation to point >> out that this isn''t intended to be supported. > > Then I suggest it would be a better use of your time to make the > compiler reject it - that way, everybody who tries it will quickly > find out. I didn''t even notice the warning message for ages.I''ve made it an error in the Shorewall-perl compiler. As an aside, warnings are a lot easier to notice with VERBOSITY=0 in shorewall.conf.> >> What I believe the real problem lies is that the loop you quote shouldn''t be >> executed if ROUTE_FILTER=Yes. See if the attached patch helps. > > That would make sense. I''ll test it the next chance I get. > > I can see a related problem in any case where routefilter is used > somewhere - since it disables routefilter on *every* interface, but > then enables it on only those listed in the interfaces file, you''re > still screwed if you have a wildcard line (shorewall will always turn > rp_filter off on those interfaces and you can''t stop it).In Shorewall-perl 3.9.3, I''ve made all of these options work somewhat differently. a) You can specify the value you want (0 or 1; 1 is assumed if no value given) b) Only the settings of the interfaces that you specify an option for get that option''s value changed. I think that will do more or less what you want (except for the wildcard thing). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/