In working through an IPv6/TPROXY issue I had, I believe I found a
documentation bug:
http://www.shorewall.net/manpages6/shorewall6-tcrules.html
In the ACTION section, for part 12. SAME:
The documentation lists:
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443
The problem is this is the shorewall6-tcrules page, and 192.168.1.0/24
and 0.0.0.0/0 are IPV4 addresses.
It''s pretty minor, but, it is something to update in the documentation.
Another issue, but it may be documented in a place I didn''t look:
In tcrules, I was trying to do the IPv6 equivalent of:
TPROXY(3129) eth2:!192.168.2.1 0.0.0.0/0 tcp 8
I discovered that:
TPROXY(3129) eth2:![2001:1931:313::1/64] tcp 8
generates an error when shorewall compiles the rules.
However, the following does work:
TPROXY(3129) eth2:[!2001:1931:313::1/64] tcp 8
Whether bad judgement on my part or otherwise, I would have expected
the former syntax (with the ! negation outside of [ip:v6:;ad/dr]) to be
the correct one.
The exclusion rules document
(http://www.shorewall.net/manpages6/shorewall6-exclusion.html) doesn''t
giive a single example of a negated IPv6 address. I believe it would be
helpful if one were added.
--
Troy Telford
------------------------------------------------------------------------------
Try New Relic Now & We''ll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
