I found that the error goes away if you have the accepts and denys
grouped together. I had them speckled thoughout my rule base. Moving
all the accepts first and the denies after the complaints stopped.
Lupe Christoph wrote:
> I don't think I can submit a bug report for this yet. It makes 1.0.7
> almost unusable for me. The same XML file (before the conversion)
> worked with 1.0.5.
> The ipfilter compiler rejects my antispoof rules because they shade the
> rule after them. Seemingly regardless of what that rule is.
> I tried simplifying the config, but didn't get the same error. Before I
> invest more time blindly fiddling, I would like to ask for guidance how
> to diagnose this. The config is quite complicated and I would like to
> diagnose this without burdening Vadim with it.
> So which debug options should I set to get more info that would help
> locate the bug? Here is what I know so far:
> - It has a problem with negated sources.
> - It is not just because of the two rules mentioned in the error
> When I disable the shading (shouldn't that be shadowing?) rule, I get
> the same error for a similar pair on another interface. When I disable
> the shading rule again, the policy compiles.
> I loose my antispoof rules this way. Because of the hassle downgrading
> to 1.0.5 again, I will keep it that way until this has been fixed, so
> I'm ready to do more tests any time.
> Please advise,
> Lupe Christoph