Shorewall users - Jun 2012 - nat: ADD_IP_ALIASES documentation

Hello,

  The ''interfaces'' documentation for nat mentions the use of
ADD_IP_ALIASES in shorewall.conf.  It mentions:

"Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes
in shorewall.conf(5), Shorewall will automatically add the
EXTERNAL address to this interface. Also if ADD_IP_ALIASES=Yes,
you may follow the interface name with ":" and a digit to
indicate that you want Shorewall to add the alias with this
name (e.g., "eth0:0")."

  Wouldn''t the use of '':'' followed by a digit be
needed when
ADD_IP_ALIASES=No instead ?  ADD_IP_ALIASES=Yes would
automatically add aliases for an interface name, so there is no
need to specify any, isn''t it ?

Further down it mentions:

"If you want to override ADD_IP_ALIASES=Yes for a particular
entry, follow the interface name with ":" and no
digit (e.g., "eth0:")."

Wouldn''t that be if you want to override ADD_IP_ALIASES=No
instead ?  In which case adding a '':'' followed by nothing to a
specific interface would add aliases to that interface only ?

The shorewall.conf documentation mentions the following about
ADD_IP_ALIASES:

"This parameter determines whether Shorewall automatically adds
the external address(es) in shorewall-nat(5). If the variable is
set to Yes or yes then Shorewall automatically adds these
aliases. If it is set to No or no, you must add these aliases
yourself using your distribution''s network configuration tools."

Could you please provide some clarification about the behaviour
of this options ?

Thanks, much appreciated.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 06/01/2012 12:04 PM, Fred Maillou wrote:
> Hello,
>
> The ''interfaces'' documentation for nat mentions the use
of
> ADD_IP_ALIASES in shorewall.conf. It mentions:
>
> "Interfaces that have the EXTERNAL address. If ADD_IP_ALIASES=Yes
> in shorewall.conf(5), Shorewall will automatically add the
> EXTERNAL address to this interface. Also if ADD_IP_ALIASES=Yes,
> you may follow the interface name with ":" and a digit to
> indicate that you want Shorewall to add the alias with this
> name (e.g., "eth0:0")."
>
> Wouldn''t the use of '':'' followed by a digit be
needed when
> ADD_IP_ALIASES=No instead ? ADD_IP_ALIASES=Yes would
> automatically add aliases for an interface name, so there is no
> need to specify any, isn''t it ?
>
> Further down it mentions:
>
> "If you want to override ADD_IP_ALIASES=Yes for a particular
> entry, follow the interface name with ":" and no
> digit (e.g., "eth0:")."
>
> Wouldn''t that be if you want to override ADD_IP_ALIASES=No
> instead ? In which case adding a '':'' followed by nothing
to a
> specific interface would add aliases to that interface only ?
>
> The shorewall.conf documentation mentions the following about
> ADD_IP_ALIASES:
>
> "This parameter determines whether Shorewall automatically adds
> the external address(es) in shorewall-nat(5). If the variable is
> set to Yes or yes then Shorewall automatically adds these
> aliases. If it is set to No or no, you must add these aliases
> yourself using your distribution''s network configuration
tools."
>
> Could you please provide some clarification about the behaviour
> of this options ?
Most of this is explained in 
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html.

There are two related concepts here: Addresses and Labels. An _address_ 
is just an additional (secondary) IP addresses on an interface. A 
_label_ is one of those silly things of the form
<interface>:<digit(s)>
that ifconfig thrust upon us and that the Debian ifup/ifdown system 
continues to burden us with.

When ADD_IP_ALIASES=Yes:

a) The _address_ in the EXTERNAL column is added to the interface in
    the INTERFACE column *unless* the interface is followed by a
    colon with no digit(s) after the colon (e.g., ''eth0:'').

b)  If the INTERFACE column contains a _label_, then the added address
     is given that label.

When ADD_IP_ALIASES=No, no addresses or labels are added regardless of 
the contents of the INTERFACE column.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

> There are two related concepts here: Addresses and Labels. An
> _address_ is just an additional (secondary) IP addresses on an
> interface. A _label_ is one of those silly things of the form
> <interface>:<digit(s)> that ifconfig thrust upon us and that
> the Debian ifup/ifdown system continues to burden us with.
Thanks for the details.  I mistook the use of
'':<number>'' when
''ADD_IP_ALIAS=No'' as some kind of override of the
''No'' condition
when actually no address is ever added when ''No'' is set.

Thanks.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/