On 11/9/10 2:05 PM, Can Bican wrote: > My bad, the internal network is actually /12, not /20. I'm sending you > the output of shorewall dump in a separate email.
There is a problem with the current code when a route matching an entire RFC1918 subnet exists. The attached patch corrects the problem in Shorewall 4.4.14 and applies with an offset to 4.4.6. patch /usr/share/shorewall/Shorewall/Providers < NULL_ROUTE.patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Providers.pm
b/Shorewall/Perl/Shorewall/Providers.pm
index 7960cfe..9a0aec9 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -648,8 +648,10 @@ sub add_an_rtrule( ) {
sub setup_null_routing() {
save_progress_message "Null Routing the RFC 1918 subnets";
for ( rfc1918_networks ) {
- emit( qq(run_ip route replace unreachable $_) );
- emit( qq(echo "qt \$IP -$family route del unreachable $_" >>
\${VARDIR}/undo_routing) );
+ emit( qq(if ! \$IP route ls | grep -q '^$_.* dev '; then),
+ qq( run_ip route replace unreachable $_),
+ qq( echo "qt \$IP -$family route del unreachable $_" >>
\${VARDIR}/undo_routing),
+ qq(fi\n) );
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
