On Sat, Oct 27, 2007 at 04:13:09PM -0700, Tom Eastep wrote: > I would really appreciate it if people would play with this facility and > offer feedback. The code is available at: > > http://www1.shorewall.net/pub/shorewall/development/staging/4.0/shorewall-4.0.6-RC1/
I've been playing with it, in an attempt to generate similar-but-more-flexible behaviour for the SSHKnock action described in http://www.shorewall.net/PortKnocking.html (since that's a familiar example that should showcase how this feature can be used). The goal is something like: PERL Knock 'net', 'loc:192.168.1.5', {port => 22, knocker => 1600, trap => [1599, 1601]}; where the 'net' and 'loc:192.168.1.5' arguments are handed off to shorewall for normal processing, while the perl function takes care of the rest. I find myself having to perpetrate an ugly hack in order to get shorewall's normal behaviour for 'source' and 'dest' fields. It's straightforward to create new rules with add_rule(), but what chain should I add them to, and what should I do with any address restrictions? Reimplementing shorewall's own processing of those fields is possible but silly. I seem to get more or less the right behaviour by fudging shorewall's internal variables to trick it into thinking that I'm using the external-action mechanism, so I think that I want an interface of the form: my $name = 'knock' . ++$i; my $chainref = new_manual_chain($name); shorewall "$name $src $dest"; add_rule($chainref, ...); which tells shorewall "I'm going to populate this chain myself; please create it and insert a rule that jumps to it, like for an action, but otherwise leave it alone". If I understand the code correctly, this should be a simple variation on the theme of the ($actiontype & ACTION) bits of process_rule1, that just avoids triggering Shorewall::Action. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
