On Sat, 3 Aug 2002, Tom Eastep wrote: > > Can the userspace area be made use of to create chains on the fly? Say > > maybe running a shell script as a service that takes an IP as an > > argument to create the chain? I do not know if userspace allows this. > >
Remember that Shorewall itself is nothing but a set of shell scripts :-) If you choose to programmatically modify the /etc/shorewall/blacklist and then refresh the firewall, there are some syncronization functions in /var/lib/shorewall/functions file that are of interest. get_statedir - establish environment mutex_on - Create a lock file mutex_off - Remove lock file Using these functions insure that your script isn't modifying the firewall during a shorewall start/restart/stop operation. If you choose to issue a "shorewall refresh" command between "mutex_on" and "mutex_off", you must run the command as "shorewall nolock refresh"; otherwise, /sbin/shorewall will hang waiting for the lock file to be removed. The dynamic blacklisting facility is easier to use programatically because you don't have to modify any files. Just issue the appropriate "shorewall" command. It is up to you whether you do a "shorewall save" or not. If you do, you will want to check the dynamic chain periodocally and delete old entries using the "shorewall accept" command (then "shorewall save"). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html