On Jun 1, 2013, at 11:13 AM, Dash Four <[email protected]> wrote:
>>
> Before I do that, I discovered another - nastier bug:
>
> actions
> ~~~~~~~
> IFLOG inline
> SFLOG
>
> action.SFLOG
> ~~~~~~~~~~~~
> ?SET p6 $6 ? $6 : @{chain}
> ?IF $5 eq 'Drop'
> $5
> ?ENDIF
> IFLOG($1,$2,$3,$4,$5) ; switch:${p6}_${7}
> ?IF $5 && (! ($5 eq 'Drop'))
> $5
> ?ENDIF
>
> rules
> ~~~~~
> SFLOG(-,-,-,-,ACCEPT,-,log_test_related=0) $FW local:+test
>
> produces:
>
> -A +fw2local -m set --match-set test dst -j ACCEPT
>
> Please note that this is a straight ACCEPT jump with no conditional
> switch. The rule produced should have been:
>
> -A +fw2local --condition fw2local_log_test_related -m set --match-set
> test dst -j ACCEPT
The rules generated by SFLOG are:
NF-(A)-> filter:SFLOG:1 -A SFLOG -m condition
--condition SFLOG_log_test_related -j ACCEPT
NF-(A)-> filter:SFLOG:2 -A SFLOG -j ACCEPT
Given that the chain ends in an unconditional '-J ACCEPT', the preceding rule
is optimized away since the packet will be ACCEPTed regardless of whether the
condition matches. Further optimization compiles the -m set match with -j
ACCEPT and the SFLOG rule is deleted.
-Tom
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
