> I just realized that condition match is part of xtables-addons so if you > want to send me your patch, I'll test it with Shorewall. Yeah, I know - I trashed the entire kernel and iptables sources a couple of days ago and was tearing my hair out when I couldn't find anything when realised that this is part of the xtables-addons.
> I believe that the xtables parser requires an option per value so the > syntax will be something like: > > condition match options: > [!] --condition name Match on boolean value stored in procfs file > --condinit value Even though I just implemented this, I have some serious misgivings, the main one being inconsistency. Lets take the following example: iptables -t raw -N foo_raw iptables -N foo_filter iptables -t raw -A foo_raw -m condition --condition foo --init 1 iptables -A foo_filter -m condition --condition foo --init 0 Since the "condition" match operates on the first-rule-wins basis, "foo" will have been initialised with a value of "1" (enabled). When executing iptables-save, these values would have been included in the resulting restore file as well, however, the order in which iptables-save operates isn't guaranteed to be the order in which "foo" has been initialised. Simply put, "foo" is not guaranteed to be "1" after iptables-save/iptables-restore cycle is complete. The same is valid if last-rule-wins is adopted. Even if I show the current value of "foo" when iptables -L is executed (1 in my example above), or, include this same value in iptables-save, this would be, again, inconsistent with what was originally entered. So, it is a heads I lose, tails you win type scenario. As for the Beta3 release, I'll have a bit more time during the weekend and will give it more thorough examination. ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: TUNE You got it built. Now make it sing. Tune shows you how. http://goparallel.sourceforge.net _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
