In article <003201c1d640$b0531350$57eaa8c0@orange>, Mark Olliver <[EMAIL PROTECTED]> wrote: >if you were to assign the label in the ifup script how can you check the >label later?
With an iptables match module, which would have syntax like... >[me] >Example: allow interfaces with "SYS-2-INTERF-D" label to talk to >firewall, and allow free communication between labelled "SECURE-LAN" >interfaces and labelled "SYS-2-INTERF-D" interfaces: > > iptables -t filter -A INPUT -m label --in-label SYS-2-INTERF-D -j >ACCEPT > > iptables -t filter -A OUTPUT -m label --out-label SYS-2-INTERF-D -j >ACCEPT > > iptables -t filter -A FORWARD -m label --in-label >SECURE-LAN --out-label SYS-2-INTERF-D -j ACCEPT > > iptables -t filter -A FORWARD -m label --out-label >SECURE-LAN --in-label SYS-2-INTERF-D -j ACCEPT > >Note the similarity to the standard '-i' and '-o' interface match >operators--we are still really matching interfaces here, only the >namespace has changed. -- Zygo Blaxell (Laptop) <[EMAIL PROTECTED]> GPG = D13D 6651 F446 9787 600B AD1E CCF3 6F93 2823 44AD
