On Apr 22, 2008, at 1:37 PM, Jesse Gordon wrote:
> When run, the generated script does run:
> ip -4 neigh flush dev eth1 >/dev/null 2>&1
> and does not return any message (I commented out the >/dev/null
> part to check.)
> I can also type the above ip command at the command line and it
> executes without any response.
> And indeed, eth1:FWB2 and eth1:FWB3 are removed, but eth1:FWB1 is
> not removed.
> This is a 2-card box (eth1=outside, eth0=inside) in a very normal
> natting firewall configuration.
> There are 3 public IPs assigned to its external/outside eth1.
> Neither eth0 nor eth1 have IPs assigned to them specifically, but
> all the IPs that fwbuilder added are done via virtual devices named
> eth0:FWBx and eth1:FWBx.
> (And all the IPs added are done via fwbuilder.)
> I did try the command:
> ip -4 addr flush dev eth1 label "eth1:FWB*"
> (Which is the same except it lacks the keyword 'secondary')
> and this time it removed all of the eth1:FWB* addresses -- so
> evidently fwbuilder thinks there's some reason to not remove the
> primary address.
fwbuilder is not designed to remove primary address. Your setup is
slightly special in that you want fwbuilder to manage all ip
addresses on the interface rather than only virtual ones. I do not
think this is typical case. Fwbuilder is supposed to add and remove
only virtual addresses, in order to distinguish them, it marks them
with suffix "FWB".
I do not expect your setup to be really widely used so making change
in fwbuilder to support it won't be practical. However you can add
appropriate "ip flush" command to the "prolog" section of the script
remove all ip addresses from interfaces. This should be easy enough
and should work.
I am concerned that the command you mentioned above is just "ip -4
neigh flush dev eth1 >/dev/null 2>&1", missing the "secondary label
"eth1:FWB*" part. How does this command look like exactly in the
script generated by fwbuilder ?
> (Even though the primary address is a virtual address, with no main
> address being assigned.)
> Thanks very much,
> Vadim Kurland ? wrote:
>> generated script should remove virtual addresses it added before
>> (the ones with :FWB suffix) using "ip addr flush" command. Does
>> this command not do it ? It looks something like this:
>> $IP -4 addr flush dev eth1 secondary label "eth1:FWB*" >/dev/null
>> If this command removes virtual address as it should, then
>> subsequent call to add_addr function will add it back with new
>> netmask. Could you check if the "ip addr flush" command is present
>> in the script and if yes, if it indeed removes virtual address if
>> you run it?
>> Note that this will only affect virtual addresses. You can not
>> change netmask of the interface via fwbuilder.
>> On Apr 22, 2008, at 10:57 AM, Jesse Gordon wrote:
>>> When I change the netmask on the IPs on my interface, and then
>>> and rerun the script, it does not update and apply the new
>>> netmasks to
>>> the interfaces or to the routing table.
>>> fwbuilder and API 2.1.18. (The old 2.1.15 had the same problem, so I
>>> just compiled the latest from source.)
>>> Build 347.
>>> Slackware 12, Linux sgi 184.108.40.206 #2 SMP Tue Dec 11 16:08:18 PST 2007
>>> i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
>>> iptables v1.3.8
>>> ip -V
>>> ip utility, iproute2-ss060323
>>> Actually it tries to update the new netmasks but it it uses the
>>> 'ip -4
>>> addr add' method which fails if the IP address already exists, thus
>>> neglecting to update the netmask for the interface and the
>>> routing table.
>>> I added an 'echo' just before the relevant command in order to
>>> troubleshoot, and here's the problem:
>>> Entering add_addr()
>>> addr=220.127.116.11, nm=25, dev=eth1
>>> ip -4 addr add 18.104.22.168/25 dev eth1 brd + scope global
>>> label eth1:FWB1
>>> RTNETLINK answers: File exists
>>> leaving add_addr()
>>> Then I type:
>>> # ifconfig eth1:FWB1
>>> eth1:FWB1 Link encap:Ethernet HWaddr 00:00:E2:3C:70:E4
>>> inet addr:22.214.171.124 Bcast:126.96.36.199
>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>> And you can see that it just left the netmask the same as it
>>> always was.
>>> Obviously rebooting would fix it (or manually going and changing
>>> it with
>>> ifconfig) but it'd be nice if just changing the settings in the
>>> gui and
>>> applying the firewall settings did it all.
>>> This may be related to an old bug I complained about a while back
>>> when an IP was removed from an interface it was never actually
>>> unless the user went and brought the interface down with ifconfig
>>> -- or
>>> Nikola Engineering Inc.
>>> 224 W. Washington St.
>>> Suite 104
>>> Sequim, WA 98382-3371
>>> Tel (360)582-1051
>>> Fax (360)582-1104
>>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>>> Don't miss this year's exciting event. There's still time to save
>>> Use priority code J8TL2D2.
>>> Fwbuilder-discussion mailing list
> Nikola Engineering Inc.
> 224 W. Washington St.
> Suite 104
> Sequim, WA 98382-3371
> Tel (360)582-1051
> Fax (360)582-1104