thr3ads.net - Shorewall users - tcfilters with +ipset in DEST column [Jul 2014]

If this information is useful, please help other people find it:
Share via:

Alan Barrett

2014-Jul-22 10:11 UTC

tcfilters with +ipset in DEST column

I am trying to use an ipset in the DEST column in the tcfilters file,
like this:

#CLASS  SOURCE  DEST    PROTO   DPORT   SPORT   TOS     LENGTH  PRIO

2:100   0.0.0.0 +fast
2:200   0.0.0.0 +slow

where "fast" and "slow" are ipsets that contain IP addresses
that
should get special treatment.  However, I get errors like this:

Compiling /etc/shorewall/tcfilters...
IN===> 2:100    0.0.0.0 +fast
   ERROR: An ipset name (+fast) is not allowed in this context
/etc/shorewall/tcfilters (line 16) at /usr/share/shorewall/Shorewall/Config.pm
line 1348.
        Shorewall::Config::fatal_error('An ipset name (+fast) is not allowed
in this context') called at /usr/share/shorewall/Shorewall/IPAddrs.pm line
216
        Shorewall::IPAddrs::validate_4net('+fast', 0) called at
/usr/share/shorewall/Shorewall/IPAddrs.pm line 878
        Shorewall::IPAddrs::validate_net('+fast', 0) called at
/usr/share/shorewall/Shorewall/IPAddrs.pm line 302
        Shorewall::IPAddrs::decompose_net('+fast') called at
/usr/share/shorewall/Shorewall/Tc.pm line 2023
        Shorewall::Tc::process_tc_filter1('2:100', 0.0.0.0,
'+fast', '-', '-', '-', '-',
'-', '-', ...) called at /usr/share/shorewall/Shorewall/Tc.pm
line 2561
        Shorewall::Tc::process_tc_filter() called at
/usr/share/shorewall/Shorewall/Tc.pm line 2579
        Shorewall::Tc::process_tcfilters() called at
/usr/share/shorewall/Shorewall/Tc.pm line 2752
        Shorewall::Tc::process_traffic_shaping() called at
/usr/share/shorewall/Shorewall/Tc.pm line 3003
        Shorewall::Tc::process_tc() called at
/usr/share/shorewall/Shorewall/Compiler.pm line 774
        Shorewall::Compiler::compiler('script',
'/var/lib/shorewall/.restart', 'directory', '',
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/share/shorewall/compiler.pl line 152

--apb (Alan Barrett)

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

Shorewall users - Jul 2014 - tcfilters with +ipset in DEST column

tcfilters with +ipset in DEST column