>> rules ~~~~~ SECTION RELATED Related(ELOG(-,fw2NeT,2)) $FW net >> >> produces: >> >> -A +fw2net -m conntrack --ctstate RELATED -j ELOG >> >> "--cstate RELATED" match can be optimised away (it is not needed >> since the +fw2net chain has that match already). The "inline" >> equivalent of ELOG (IELOG) produces 2 additional RELATED matches (for >> each statement of that action) as well, but I suspect you already >> know that. I also suspect the situation will be the same if I use >> Established in the ESTABLISHED section, Untracked in the UNTRACKED >> section and Invalid in the INVALID section. > > All of that is corrected in my current tree. This now works. However:
rules ~~~~~ SECTION RELATED Established(ELOG(-,fw2NeT,2)) $FW net Established(dropInvalid) $FW net dropInvalid $FW net produces: -A +fw2net -m conntrack --ctstate ESTABLISHED -j ELOG -A +fw2net -m conntrack --ctstate ESTABLISHED -m conntrack --ctstate INVALID -j DROP -A +fw2net -m conntrack --ctstate INVALID -j DROP "ELOG" is not inline and is the equivalent of IELOG as indicated previously. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
