On 12/20/2017 10:20 AM, Tom Eastep wrote: > On 12/20/2017 09:33 AM, Brian J. Murrell wrote: >> Trying to use some of the techniques explained on: >> >> http://shorewall.net/configuration_file_basics.htm >> >> am I misunderstanding run-time address variables? >> >> I have /etc/shorewall6/init: >> >> INT_SRV_ALL_SRCS=$(ip -6 addr ls br-lan | sed -n -e '/fe80::/d' -e >> '/fd31:/d' -e '/::1\/128/d' -e 's/::1\/[0-9]*/::2/g' -e '/ *inet6 /{s/ >> *inet6 \(.*\) scope .*$/\1,/;H}' -e '${g;s/\n//g;s/,$//;p}') >> INT_SRV_ALL_DSTS=loc:$INT_SRV_ALL_SRCS >> >> To save you the trouble, the $() evaluates to a comma separated list of >> addresses such as >> 2607:1234:5678:cd00::2,2001:5432:9876:6700::2,2001:bad:beef::2 >> >> I have in /etc/shorewall6/rules: >> >> Auth/ACCEPT net &{INT_SRV_ALL_DSTS} >> >> But when I try to compile I get: >> >> Compiling /etc/shorewall6/gw-Reboot/rules... >> ERROR: Unknown destination zone (&{INT_SRV_ALL_DSTS}) >> /usr/share/shorewall/macro.Auth (line 9) >> from /etc/shorewall6/gw-Reboot/rules (line 83) >> >> I have tried simplifying and assigning INT_SRV_ALL_DSTS directly with >> the much more simple: >> >> INT_SRV_ALL_DSTS=loc:2607:1234:5678:cd00::2,2001:5432:9876:6700::2,2001:bad:beef::2 >> >> but get the same error. >> >> This is with shorewall-5.0.14.1. >> >> It's probably obvious but the goal here is to push as much of the "what >> is the current networking state -- IP addresses, gateways, etc." out to >> the shorewall-lite machine and have the state evaluated at each policy >> [re-]load so that it's much more flexible to networking configuration >> changing. >> > > Two problems: > > a) You need to specify a destination zone; that's why you are getting > the error. > > b) Once you fix that, you will still get an error because each runtime > address variable may hold exactly *one* ip address. And given that this > is IPv6, the variable must be enclosed in square brackets. >
Disregard the part about square brackets -- senior moment :-) -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
