On Mon, 2007-08-20 at 10:56 +0200, Pascal Hambourg wrote:
> Andrew Ruthven a écrit :
> >>
> >>Shouldn't that be pre-up instead?
> >
> > I've just tried this and confirmed my suspicion. This will fail if you
> > refer to the interface in your firewall. Since the interface isn't up
> > yet (pre-up) iptables can't find the device to apply the against.
>
> Huh ? AFAIK iptables does not care whether the specified interface is up
> or even exists. It is just text, possibly including a wildcard (+).
> Doesn't your script try to extract information about the interface from
> ifconfig or the like ? Of course this may fail if the interface is not
> up yet.
Ahhh, I know why my test failed now. I was trying to use dummy1 as my
interface, but the box was quite rightly complaining that it doesn't
exist. I had thought I could just refer to a dummy interface and it'd
be created, it appears that isn't the case.
Testing this against another interface that really does exist confirms
that putting the iptables rules in the pre-up works.
Cheers!
--
Andrew Ruthven, Wellington, New Zealand
At home: andrew@etc.gen.nz | This space intentionally
| left blank.
Attachment:
signature.asc
Description: This is a digitally signed message part