On 04/09/2013 05:51 AM, Mr Dash Four wrote: > >>>> Nope, that would prevent me from using custom-made targets (something >>>> like '-j SECCTX --name <name>' for example). >>>> >>> Okay -- I've implemented the following: >>> >>> 3) A new INLINE action has been added. This action allows defining >>> arbitrary iptables rules in the blrules and rules files, as well as >>> in action and macro bodies. >>> >>> The basic form of an INLINE rule is as follows: >>> >>> INLINE <src> <dst> <proto> ... ; <iptables matches and jump> >>> >>> Example: >>> >>> INLINE $FW all tcp 1234 ; -j SETCTX --name foo >>> >>> As part of this change, a new 'builtin' action type has been added. >>> ip[6]tables actions not supported by Shorewall (such as 'SETCTX' in >>> the example above), must be defined in your >>> /etc/shorewall[6]/actions file. >>> >>> Example: >>> >>> SETCTX builtin >>> >>> >>> Is this what you had in mind? >>> >> >> BTW, with OPTIMIZE=31, the following rules are generated in my >> configuration: >> >> -A fw-dmz -p 6 --dport 1234 -j SETCTX --name foo >> -A fw-loc -p 6 --dport 1234 -j SETCTX --name foo >> -A fw-net -p 6 --dport 1234 -j SETCTX --name foo >> -A fw-smc -p 6 --dport 1234 -j SETCTX --name foo >> -A fw-vpn -p 6 --dport 1234 -j SETCTX --name foo >> > OK, I have a couple of queries: was there a reason for including the > protocol and port number columns? That adds an unnecessary complexity to > me in my view - what if I want to use ipsets as protocol & port numbers? > I am also assuming that this is a destination port - what happens if a > source port is needed instead? > > Could you not just leave the syntax as "INLINE <src> <dst> ; > <the_rest_of_the_statement>"?
I'm *requiring* protocol and port numbers; but you can specify them if you want. In fact, you can specify *any* of the existing columns but the only columns that are required are SOURCE and DEST. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
