Re: [Fwbuilder-discussion] viritual NAT address fix?
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] viritual NAT address fix?
|
From: Nils O. F. <ni...@no...> - 2011-12-08 11:52:51
|
Hello Vadim, Torsdag 8. desember 2011 01.45.37 skrev Vadim Kurland : > Hello Nils, > > I understand the problem better now. > > There are short-term and long term solutions to it. > > Removing sorting in function update_addresses_of_interface preserves the > order of addresses as there were generated by fwbuilder policy compiler. > However, this order is not guaranteed and may change if you add or remove > objects in the GUI. So, short term removing the sorting may work for you, > but long term it is going to be fragile and may break. Yes, interface address/netmask handling is what I think is the weakest point in fwbuilder. When doing vlan/bridge changes you must be prepared to go in for a manual fix. > Also, I am hesitant > to make the change like that at this time because it is too close to the > release of v5.0.1. This requires a lot of testing. > > If removing sorting works for you, you can just override the configlet as > described here: > > http://www.fwbuilder.org/4.0/docs/users_guide5/configlets.html This is what im doing now. Now I can reboot the firewall and the addresses come up correct (no need to manually correct them.) No doubt that this is a workaround. The alternative is setting interface, address/netmask in the OS, and manually maintain them there. > > As for the long term solution, it is little more complicated than keeping > addresses in particular order. I think the right way to deal with this is > to treat addresses differently in fwbuilder (i.e. differentiate them > somehow, perhaps add new attribute to the Interface object), and then use > parameter "secondary" with command "ip addr add" when the address is added. > This can not be done right now because all addresses are treated as equal > by fwbuilder, both in the GUI and by the script it generates. This is what im thinking too, and belive is the way to go. If the goal is to make fwbuilder 100% in control of the interfaces I can not see a way around that. (There is also something, probably related, with interface routes going on, but I can not put my finger on it right now.) > I'll make a > note of this so we can implement it in a future release. > > --vk Great! I will be first in line to test this :-) Thank you very much for fwbuilder! -- Nils |