Tom Eastep wrote: > On 5/1/13 5:26 PM, Dash Four wrote: > >> Tom Eastep wrote: >> >>> Regrettably, Shorewall 4.5.16 has a serious problem when used on systems >>> running a 3.x kernel that include CT Target support and that do not use >>> a capabilities file. >>> >>> >> I am attaching 4 patches, implementing 3 new features and fixing one >> minor inconsistency in this version. These are: >> >> 1. Introduce DEST interface capabilities to "rtrules". I did report this >> as a "bug" previously, but, as it turned out, "source" and "destination" >> interfaces are not treated the same as source and destination ip >> addresses (I've had a long-drawn arguments about this in the netfilter >> mailing list, so I won't go into anything like this on here). So, what >> this new feature does is to allow output interface to be specified, >> along with destination ip address, in the DEST column in "rtrules" and >> generate the necessary "ip rule" rules to make it happen. >> >> This patch comes with one caveat though - the "oif" ip rule capability >> in the iproute package was introduced fairly "recently", so if this >> feature is going to be made available "mainstream", I suspect a new >> capability needs to be added to shorewall (my perl skills aren't quite >> there yet, so I'll leave this up to you Tom, if you decide to >> incorporate this new feature into shorewall - "It works for me (tm)"). >> >> > > What are the semantics associated with oif? Given that ip rules are > applied before routing, the output interface has not yet been determined. > Well, isn't the order Local machine -> Routing Decision -> OUTPUT (raw, mangle, nat, filter) -> POSTROUTING (mangle, nat) -> Local traffic?
I am successfully matching traffic using the "oif" parameter, so it must be working. Besides, the iproute2 guys won't put this option there if it doesn't make sense. > The last three look okay. > Thanks. ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
