On Friday 27 June 2014 11:58 AM, Nishant Sharma wrote: > > On Friday 27 June 2014 10:05 AM, Amos Jeffries wrote: >>> acl even src 0.0.0.0/0.0.0.1 >>> tcp_outgoing_address wan1 even >>> tcp_outgoing_address wan2 !even >>> > wan1 & wan2 in the config are the actual WAN IP Addresses (IPv4) and NAT > rules are properly set-up for both the WANs. If I divide the LAN into > two /25 subnets it works fine. But not with masked bits. > > Is there any debug option that I could enable to see how these ACLs are > being matched or by-passed? "debug_options ALL,9" can be an overkill for > this? Here are the debug logs. I see that it is trying to compare SRC-IP:Port pair against the ACL and result is always "0". Any pointers? 2014/06/27 12:02:37.882| ACLList::matches: checking !EVEN 2014/06/27 12:02:37.883| ACL::checklistMatches: checking 'EVEN' 2014/06/27 12:02:37.883| aclIpAddrNetworkCompare: compare: 192.168.2.121:49287/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (192.168.2.121:49287) vs 0.0.0.0-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] 2014/06/27 12:02:37.883| aclIpMatchIp: '192.168.2.121:49287' NOT found 2014/06/27 12:02:37.883| ACL::ChecklistMatches: result for 'EVEN' is 0 2014/06/27 12:02:37.883| ACLList::matches: result is true 2014/06/27 12:02:37.883| aclmatchAclList: 0xbfbfe290 returning true (AND list satisfied) 2014/06/27 12:02:37.883| ACLChecklist::markFinished: 0xbfbfe290 checklist processing finished 2014/06/27 12:02:37.883| FilledChecklist.cc(168) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbfbfe290 2014/06/27 12:02:37.883| ACLChecklist::~ACLChecklist: destroyed 0xbfbfe290 2014/06/27 12:02:37.883| FilledChecklist.cc(168) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbfbfe2b0 2014/06/27 12:02:37.883| ACLChecklist::~ACLChecklist: destroyed 0xbfbfe2b0 2014/06/27 12:02:37.883| fwdConnectStart: got outgoing addr 2xx.1xx.3x.xx, tos 0 Thanks & regards, Nishant
