On 04/10/2013 07:12 PM, Mr Dash Four wrote: > >> Yep, that did the trick. I am going to do a (very) light testing and >> will continue tomorrow as I ran out of time...
My comments assume that the last simply patch that I posted last night has been installed. > 1. > > rules > ~~~~~ > INLINE $FW net ; -m mickey-mouse --name test > > produces: > > [...] > :INLINE - [0:0] > [...] > -A INLINE -m mickey -mouse --name test -A fw2net -m mickey -mouse --name test > > 2. > > rules > ~~~~~ > INLINE $FW:10.1.1.1 net:+mickey-mouse ; -m mickey-mouse --name test > > produces: > > [...] > :INLINE - [0:0] > [...] > -A fw2net -j INLINE I presume that rule was produced by your entry in 1 above. > -A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -j INLINE > > Ignoring the above lines, shouldn't I get an error instead? What error would you expect? With the patch, this rule now produces: :$INLINE [0:0] ... -A %INLINE -m mickey-mouse --name test ... -A fw2net -s 10.1.1.1 -m set --match-set mickey-mouse dst -j %INLINE The current optimizer isn't combining those rules which I will try to correct in the coming days. > > 3. > > rules > ~~~~~ > INLINE $FW net tcp ; --dport 1234 -m mickey-mouse --name test > > produces:But if I can get the optimizer to work in this case, it should > generate a workable rule. > > [...] > :INLINE - [0:0] > [...] > -A INLINE --dport 1234 -m mickey -mouse --name test > With the patch, you get: :%INLINE1 - [0:0] ... -A %INLINE1 --dport 1234 -m mickey -mouse --name test ... -A fw2net -p 6 -j %INLINE1 Which clearly doesn't work. On the other hand, the -p match and it's option (--dport) are split between the columnar and raw parts of the rule, which isn't something I would want to spend any time worrying about. > 4. > > rules > ~~~~~ > INLINE $FW net tcp - ; -p 17 --dport 2345 -j SECCTX --name test > > produces: > > [...] > :INLINE - [0:0] > [...] > -A INLINE -p 17 --dport 2345 -j SECCTX --name test It now produces: %INLINE2 - [0:0] ... -A %INLINE2 -p 17 --dport 2345 -j SECCTX --name test ... -A fw2net -p 6 -j %INLINE1 Here, the fact that INLINE is implemented as an action is apparent. The optimizer knows that it can't combine rules with different protocols, so it leaves the rule unoptimized. I realize that isn't what I indicated in an earlier email, but that's the way it works. > > 5. > > rules > ~~~~~ > INLINE $FW net - - ; -j SECCTX --name test > > produces: > > -A fw2net -j SECCTX --name test > > which is correct, but shouldn't that produce an error as there are 2 > trailing dashes (-) before ";"? No -- you can have as many trailing dashes as there are remaining columns in a rules file entry. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
