I use shorewall-lite on my remote gateway, controlled by shorewall on my
local gateway. Sometimes I need to configure a rule which requires
knowledge of an IP of an interface on the remote machine.
"/sbin/shorewall-lite call find_first_interface_address
<interface>"
comes in handy for this and I can even put it into a params variable to
give me something I can use in a rule:
C_IF_IP=$(ssh gw "/sbin/shorewall-lite call find_first_interface_address
eth0.1")
This has side effects however. The above command will be called on both
the local (i.e. shorewall) machine and the remote (shorewall-lite)
machine. Issuing an ssh command on the remote machine is an error.
I could probably do something deterministic like:
C_IF_IP=$(if <running on remote machine>; then
/sbin/shorewall-lite call find_first_interface_address
<interface>
else
ssh gw "/sbin/shorewall-lite call
find_first_interface_address <interface>")
Of course, for every person who has to do this sort of thing, that''s a
person who will potentially fall into the trap of not knowing they need
to conditionalize such a construct as above.
I wonder if there could/should be a generic function in the framework
that one can call to get the value of something (i.e. like
"find_first_interface_address", or other things) that will understand
the context it is being called in and do the right thing with regard to
either running locally or remotely.
Of course, it''s entirely possible that there is a much better way of
trying to get an interface''s address on a remote machine for building
rules with. :-)
Thots?
b.
------------------------------------------------------------------------------
Centralized Desktop Delivery: Dell and VMware Reference Architecture
Simplifying enterprise desktop deployment and management using
Dell EqualLogic storage and VMware View: A highly scalable, end-to-end
client virtualization framework. Read more!
http://p.sf.net/sfu/dell-eql-dev2dev
On Mon, 2010-11-15 at 07:36 -0500, Brian J. Murrell wrote:> > I could probably do something deterministic like: > > C_IF_IP=$(if <running on remote machine>; then > /sbin/shorewall-lite call find_first_interface_address <interface> > else > ssh gw "/sbin/shorewall-lite call find_first_interface_address <interface>")FWIW, in practise the following in params works: on_remote() { if [ -f /etc/shorewall-lite/vardir ]; then bash -c "$@" else ssh gw "$@" fi } C_IF_IP=$(on_remote "/sbin/shorewall-lite call find_first_interface_address eth0.1") It would be nice to see that included generically in the shorewall framework I think. b. ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
On 11/15/10 4:36 AM, Brian J. Murrell wrote:> I use shorewall-lite on my remote gateway, controlled by shorewall on my > local gateway. Sometimes I need to configure a rule which requires > knowledge of an IP of an interface on the remote machine. > > "/sbin/shorewall-lite call find_first_interface_address <interface>" > comes in handy for this and I can even put it into a params variable to > give me something I can use in a rule: > > C_IF_IP=$(ssh gw "/sbin/shorewall-lite call find_first_interface_address eth0.1") > > This has side effects however. The above command will be called on both > the local (i.e. shorewall) machine and the remote (shorewall-lite) > machine.Only if you set EXPORT_PARAMS=Yes in shorewall.conf. If you set EXPORT_PARAMS=No, then you won''t have this issue at all.> > Of course, it''s entirely possible that there is a much better way of > trying to get an interface''s address on a remote machine for building > rules with. :-)You are using the documented method. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
On 11/15/10 4:41 AM, Brian J. Murrell wrote:> On Mon, 2010-11-15 at 07:36 -0500, Brian J. Murrell wrote: >> >> I could probably do something deterministic like: >> >> C_IF_IP=$(if <running on remote machine>; then >> /sbin/shorewall-lite call find_first_interface_address <interface> >> else >> ssh gw "/sbin/shorewall-lite call find_first_interface_address <interface>") > > FWIW, in practise the following in params works: > > on_remote() { > if [ -f /etc/shorewall-lite/vardir ]; then > bash -c "$@"That''s silly. A shell variable used in a configuration file is only evaluated at compile time, not at run-time. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
On Mon, 2010-11-15 at 07:14 -0800, Tom Eastep wrote:> Only if you set EXPORT_PARAMS=Yes in shorewall.conf. If you set > EXPORT_PARAMS=No, then you won''t have this issue at all.Yes, it seems so. If I set EXPORTPARAMS to No, it only does the evaluation on the remote system, so I can get rid of the function and always use the ssh command in the evaluation. b. ------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev