With Shorewall6 4.2.8 I got: Compiling /etc/shorewall6/gw/routestopped for critical hosts... ERROR: Invalid IPv6 Address (loc:2001:4978:...) : /etc/shorewall6/gw/routestopped (line 14) which is because I have: #INTERFACE HOST(S) OPTIONS br-lan $PC in my routestopped file and $PC is defined as loc:2001:4978:... in my params file, for the convenience of writing rules, which want hosts to be in zones. Would it be bad to allow the routestopped file accept a zoned IP address so that I don''t have to either have two definitions, or prefix my hosts with zones in my rules file? b. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Brian J. Murrell wrote:> With Shorewall6 4.2.8 I got: > > Compiling /etc/shorewall6/gw/routestopped for critical hosts... > ERROR: Invalid IPv6 Address (loc:2001:4978:...) : /etc/shorewall6/gw/routestopped (line 14) > > which is because I have: > > #INTERFACE HOST(S) OPTIONS > br-lan $PC > > in my routestopped file and $PC is defined as loc:2001:4978:... in my > params file, for the convenience of writing rules, which want hosts to > be in zones. > > Would it be bad to allow the routestopped file accept a zoned IP address > so that I don''t have to either have two definitions, or prefix my hosts > with zones in my rules file?Zone definition can be arbitrarily complex, including combinations of interfaces, networks, IPSEC and ipsets. Instantiating the routestopped file rules must be as foolproof as absolutely possible because ''shorewall stop'' is implicitly performed when things to wrong during ''start'' or ''restart''. So I continue to believe that it would be foolish to attempt to support zone names in the routestopped file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
On Sat, 2009-05-16 at 11:58 -0700, Tom Eastep wrote:> > Zone definition can be arbitrarily complex, including combinations of > interfaces, networks, IPSEC and ipsets.Maybe I have nomenclature wrong or am underestimating something. By zone I mean the "loc:" part in: loc:2001:4978:...> Instantiating the routestopped file rules must be as foolproof as > absolutely possible because ''shorewall stop'' is implicitly performed > when things to wrong during ''start'' or ''restart''.Agreed.> So I continue to believe that it would be foolish to attempt to support > zone names in the routestopped file.Even in so much as in to simply drop the zone specification (i.e. s/[^:]*://) and just proceed with the address that''s left? The routestopped file does already include the interface the interface the address should be in, so isn''t the zone moot in this instance? Anyway, it''s not a biggie if it really is too complicated and my simple setup here is simply shielding me from how complicated it can be. Just thought I would throw it out there. b. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Brian J. Murrell wrote:> On Sat, 2009-05-16 at 11:58 -0700, Tom Eastep wrote: >> Zone definition can be arbitrarily complex, including combinations of >> interfaces, networks, IPSEC and ipsets. > > Maybe I have nomenclature wrong or am underestimating something. By > zone I mean the "loc:" part in: > > loc:2001:4978:... > >> Instantiating the routestopped file rules must be as foolproof as >> absolutely possible because ''shorewall stop'' is implicitly performed >> when things to wrong during ''start'' or ''restart''. > > Agreed. > >> So I continue to believe that it would be foolish to attempt to support >> zone names in the routestopped file. > > Even in so much as in to simply drop the zone specification (i.e. > s/[^:]*://) and just proceed with the address that''s left? The > routestopped file does already include the interface the interface the > address should be in, so isn''t the zone moot in this instance? > > Anyway, it''s not a biggie if it really is too complicated and my simple > setup here is simply shielding me from how complicated it can be. Just > thought I would throw it out there.I rather suggest that you have PCH=2001:4978:... and PC=loc:$PCH Then you can put $PCH in the routestopped file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects