Tom Eastep wrote: > On 4/21/13 7:14 PM, "Dash Four" <[email protected]> wrote: > > >>> OK, the main thing I've found so far is that shorewall does not touch >>> the order of statements after ";" this time (compared to "rules"), so >>> if I specify "INLINE ; -m nfacct --nfacct-name test -p 6 -m set >>> --match-set test src --dport 1234" that passes as-is (that, obviously, >>> won't pass iptables, but I am pleased that the order is preserved in >>> whatever I throw after ";"). >>> >> No issues to report, except one or two suggestions: >> >> 1. It would be nice if you could extend the nfacct syntax for ipsets to >> specify more than one nfacct object, separated by commas - in the way >> NFACCT(...) syntax currently is. For example: "+dmz-net(dmz,dmz_in)". >> > > Isn't that already there? > Nope, I am getting an error if I try that... "NFACCT(all,all_in) - +dmz-net(dmz,dmz_in)" gives me "ERROR: Invalid ipset name (+dmz-net(dmz)". Specifying "+dmz-net(dmz_in)" is OK.
>> 2. It would also be nice to extend the syntax for the exclamation mark >> in NFACCT(...) so that it may apply to individual nfacct objects. For >> example: "NFACCT(!dmz,dmz_in) - eth0:+dmz-net" - in this example "dmz" >> nfacct object comes first, "dmz_in" comes last after the two conditions >> - "-o eth0" and "m set --match-set dmz-net src" have been met. Of >> course, if "NFACCT(dmz,dmz_in)!" is specified, then the exclamation mark >> should apply (and it does) to both objects, while "NFACCT(!dmz,dmz_in)!" >> should not be allowed. >> > > I would like to release RC 1 next -- my wife is having major surgery this > week and I'm not going to be able to spend much time with Shorewall the > rest of the month. > No problem Tom, take your time - hope your missus has a successful one and recovers quickly after that. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
