On 11/29/12 4:34 PM, "Mr Dash Four" <[email protected]> wrote:
> >> I just realized that condition match is part of xtables-addons so if >>you >> want to send me your patch, I'll test it with Shorewall. >Yeah, I know - I trashed the entire kernel and iptables sources a couple >of days ago and was tearing my hair out when I couldn't find anything >when realised that this is part of the xtables-addons. > >> I believe that the xtables parser requires an option per value so the >> syntax will be something like: >> >> condition match options: >> [!] --condition name Match on boolean value stored in procfs file >> --condinit value >Even though I just implemented this, I have some serious misgivings, the >main one being inconsistency. Lets take the following example: > >iptables -t raw -N foo_raw >iptables -N foo_filter >iptables -t raw -A foo_raw -m condition --condition foo --init 1 >iptables -A foo_filter -m condition --condition foo --init 0 > > >Since the "condition" match operates on the first-rule-wins basis, "foo" >will have been initialised with a value of "1" (enabled). > >When executing iptables-save, these values would have been included in >the resulting restore file as well, however, the order in which >iptables-save operates isn't guaranteed to be the order in which "foo" >has been initialised. Simply put, "foo" is not guaranteed to be "1" after >iptables-save/iptables-restore cycle is complete. The same is valid if >last-rule-wins is adopted. > >Even if I show the current value of "foo" when iptables -L is executed (1 >in my example above), or, include this same value in iptables-save, this >would be, again, inconsistent with what was originally entered. So, it is >a heads I lose, tails you win type scenario. If you simply use the current value in 'save', all rules referencing the condition should be consistent unless there is a iptables-restore/"echo > /proc/..." race, right? > >As for the Beta3 release, I'll have a bit more time during the weekend >and will give it more thorough examination. Thanks, -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Keep yourself connected to Go Parallel: TUNE You got it built. Now make it sing. Tune shows you how. http://goparallel.sourceforge.net _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
