>>> Same chains as today. >>> >>> >> So, if I place 50 blacklist entries for tun0 and 1 for eth0, then in >> order to get a packet through eth0 it has to traverse through 51 entries >> in that same chain? "Square pegs in round holes" comes to mind... >> Thanks, but no thanks! >> >> > > Why? It doing that now. > No, not really. It is only "doing that now" because blacklist entries are entered for all interfaces - if/when that changes, I would be able to enter blacklist entries for a specific interface.
If you are going to lump up all blacklist entries regardless of which interface they are entered for into a single chain (I presume that would be the blacklst/blackout chain again as you already pointed out) and you reference that chain from all interfaces/zones (as is the case now), that means a single packet has to traverse through all entries in the blacklst/blackout chain - including entries which have been entered for a different interface - before it passes through and that is something I am not very keen on doing, quite frankly...Unless I am missing something obvious. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
