Re: [Shorewall-users] another tcrules question

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

--On Tuesday, March 11, 2003 11:26:31 PM -0800 Chris Petersen 
<li...@fo...> wrote:

>
> /bin/sh == /bin/bash
> shorewall version = 1.3.12
>
> though if you'll notice, the $FW is getting interpreted just fine by the
> shell.  It also works fine for all of my other rules
> (/etc/shorewall/rules, mostly)
>
>
> Perhaps I'll just upgrade to 1.4 and see how that goes - I was going to
> wait for the final release, but I guess I can upgrade a week or so
> early.

I can't can't how that is going to make any difference. Here is the code:

    add_a_tc_rule() {
	r=
	chain=$marking_chain

	if [ "x$source" != "x-"	 ]; then
	    case $source in
		*.*.*)
		    r="-s $source "
		    ;;
		~*)
		    r=`mac_match $source`
		    ;;
		$FW)
		    chain=tcout
		    ;;
		*)
		    if ! list_search $source $all_interfaces; then
			fatal_error "Error: Unknown interface $source"
		    fi

		    r="-i $source "
		    ;;
	    esac
	fi
	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
	[ "$proto"   = "all" ] || r="${r}-p $proto "
	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "

	run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark

    }

That code is the same in 1.3.12 and 1.4.0.

According to your debugging info, the iptables command at the end is:

iptables -t mangle -A tcfor -s 0.0.0.0/0 -d fw -j MARK --set-mark 1

That means that:

chain = tcfor
source = 0.0.0.0/0
dest = fw ($FW)

>From that information, I would have said that the rule you have coded would 
be:

1	0.0.0.0/0	$FW	all

Yet you claim that the rule is:

1	$FW	0	.0.0.0/0	all

?????????
-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ te...@sh...