On Mon, 2007-08-20 at 10:56 +0200, Pascal Hambourg wrote: > Andrew Ruthven a écrit : > >> > >>Shouldn't that be pre-up instead? > > > > I've just tried this and confirmed my suspicion. This will fail if you > > refer to the interface in your firewall. Since the interface isn't up > > yet (pre-up) iptables can't find the device to apply the against. > > Huh ? AFAIK iptables does not care whether the specified interface is up > or even exists. It is just text, possibly including a wildcard (+). > Doesn't your script try to extract information about the interface from > ifconfig or the like ? Of course this may fail if the interface is not > up yet. Ahhh, I know why my test failed now. I was trying to use dummy1 as my interface, but the box was quite rightly complaining that it doesn't exist. I had thought I could just refer to a dummy interface and it'd be created, it appears that isn't the case. Testing this against another interface that really does exist confirms that putting the iptables rules in the pre-up works. Cheers! -- Andrew Ruthven, Wellington, New Zealand At home: andrew@etc.gen.nz | This space intentionally | left blank.
Attachment:
signature.asc
Description: This is a digitally signed message part