On 11/28/2013 7:43 AM, Dash Four wrote: > > Tom Eastep wrote: >> I welcome suggestions for other such changes and for other features that you >> believe we should consider. >>
Thanks for your suggestions. > 1. nftables support? The iptables syntax and structure permeate the compiler. So nftables support is enough work that I will probably defer it until after I retire (end of 2015). By that time, nftables should be available in the distributions. > 2. Implement INLINE everywhere (incl. all tc* files)? > 3. Implement "; custom matches" everywhere? Currently, INLINE and ";" custom matches are one in the same. I have implemented INLINE in the tcrules file (undocumented rudimentary support is actually available in the tcrules file in 4.5.21.4). It is unclear to me how this extends to the other tc files, however. > 4. Integrate "postcompile" and document it? I assume that 'postcompile' would be invoked just before the compiler generates the ip[6]tables input? > 5. Implement tc's "ematch" capability (so that the "ipset" ematch could > be used)? I assume that this means that you would like to be able to define 'basic' filters with ematch in the tcfilters file? > 6. Implement IPSETs everywhere where iptables allows it, and I mean > *everywhere*? One example - I currently have matches inserted by > customised statements from my "started" file for some of the main chains > (like fw2zone and zone2fw), substituting the "net=xxx" option, but that > is one hell of an ugly hack and very prone to errors! The new-ish > version of the ipset match allow for byte and packet counters to be > used, so that could come handy in the accounting features in shorewall. What is the barrier that prevents you from using INLINE ';' matches for this? > 7. Implement access to the RAW tables/chains, similar to that of "rules"? > Which raw-table targets would you hope to be able to utilize? Could we not just add suppport for them to the conntrack file? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
