Tom Eastep wrote: >> 4. Integrate "postcompile" and document it? >> > > I assume that 'postcompile' would be invoked just before the compiler > generates the ip[6]tables input? > No, it is currently invoked when the firewall file is created, but just before it is passed for execution to ip[6]tables. I use this file to apply 2 very ugly hacks to define my ifbX policy using ipset's ematch.
>> 5. Implement tc's "ematch" capability (so that the "ipset" ematch could >> be used)? >> > > I assume that this means that you would like to be able to define > 'basic' filters with ematch in the tcfilters file? > Yes. If memory serves, ipset's ematch could be applied to any tc statement and that includes most tc* files. Ipset's ematch is a powerful tool and I can define complex rules (even more complex than a single iptables statement), something like: basic match (ipset"(set1 src)" or ipset"(set2 src)" or ipset"(set3 src)" or ipset"(set4 src)") and ipset"(set5 dst)" >> 6. Implement IPSETs everywhere where iptables allows it, and I mean >> *everywhere*? One example - I currently have matches inserted by >> customised statements from my "started" file for some of the main chains >> (like fw2zone and zone2fw), substituting the "net=xxx" option, but that >> is one hell of an ugly hack and very prone to errors! The new-ish >> version of the ipset match allow for byte and packet counters to be >> used, so that could come handy in the accounting features in shorewall. >> > > What is the barrier that prevents you from using INLINE ';' matches for > this? > I can't. The "net=xxx" option for example applies to multiple chains (fw2net, net2fw and so on), so I can't just slot INLINE statement in as "net=xxx" has a wider scope. >> 7. Implement access to the RAW tables/chains, similar to that of "rules" > > Which raw-table targets would you hope to be able to utilize? Could we > not just add suppport for them to the conntrack file? > Don't know. What I currently have in my raw table is a sequence of custom-defined chains (2 for logging, 5 for traversing, which are interface-dependent) and in each of the traversing chains I have a series of conditional DROP statements. ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
