On 11/4/2013 2:41 AM, Stefan Behte wrote: > > thanks for the patch! Wouldn't it be nicer to have user-created DROP > rules always in mangle?
- Entries in the rules file are based on zones. Zones are security objects that aid in the logical definition of policies and exceptions to those policies. - The design of Netfilter encourages security-related filtering to be performed in the filter table. - It follows that Shorewall has a lot of logic that attempts segregate filter-table rules by source and destination zone. A bit of that segregation also occurs in the nat table to accomodate DNAT rules. - The mangle table, on the other hand, is not intended for traffic filtering. The REJECT target isn't even available in that table, for example. - As a consequence, there is no logic in the compiler for segregating mangle-table traffic by source and destination zones; in fact, in the PREROUTING chain (which is where I assume you want DROP rules to go), it is not generally possible to even determine the destination zone, because the destination interface is not yet known (the packet has yet to be routed). > Also, I'd like not to distribute rules between several files, it's > going to be a bit confusing. > Having all DROP rules applied out of file order would also be confusing (and limiting). And what about DROP rules in actions? How would those possibly be handled in the mangle table? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
