On 12/8/2013 4:13 AM, Dash Four wrote: > Tom Eastep wrote: >>> 4. Integrate "postcompile" and document it? >>> >> >> I assume that 'postcompile' would be invoked just before the compiler >> generates the ip[6]tables input? >> > No, it is currently invoked when the firewall file is created, but just > before it is passed for execution to ip[6]tables. I use this file to > apply 2 very ugly hacks to define my ifbX policy using ipset's ematch.
Okay -- I had forgotten that I had implemented that for you. I've now documented it at http://www.shorewall.org/shorewall_extension_scripts.htm. > >>> 5. Implement tc's "ematch" capability (so that the "ipset" ematch could >>> be used)? >>> >> >> I assume that this means that you would like to be able to define >> 'basic' filters with ematch in the tcfilters file? >> > Yes. If memory serves, ipset's ematch could be applied to any tc > statement and that includes most tc* files. Ipset's ematch is a powerful > tool and I can define complex rules (even more complex than a single > iptables statement), something like: > > basic match (ipset"(set1 src)" or ipset"(set2 src)" or ipset"(set3 src)" > or ipset"(set4 src)") and ipset"(set5 dst)" According to tc-ematch(8), ematch applies only to basic and flow filters. > >>> 6. Implement IPSETs everywhere where iptables allows it, and I mean >>> *everywhere*? One example - I currently have matches inserted by >>> customised statements from my "started" file for some of the main chains >>> (like fw2zone and zone2fw), substituting the "net=xxx" option, but that >>> is one hell of an ugly hack and very prone to errors! The new-ish >>> version of the ipset match allow for byte and packet counters to be >>> used, so that could come handy in the accounting features in shorewall. >>> >> >> What is the barrier that prevents you from using INLINE ';' matches for >> this? >> > I can't. The "net=xxx" option for example applies to multiple chains > (fw2net, net2fw and so on), so I can't just slot INLINE statement in as > "net=xxx" has a wider scope. Can you use INLINE in an action and then invoke the action in fw2net, net2fw, etc? > >>> 7. Implement access to the RAW tables/chains, similar to that of "rules" >> >> Which raw-table targets would you hope to be able to utilize? Could we >> not just add suppport for them to the conntrack file? >> > Don't know. What I currently have in my raw table is a sequence of > custom-defined chains (2 for logging, 5 for traversing, which are > interface-dependent) and in each of the traversing chains I have a > series of conditional DROP statements. Okay -- so adding DROP and LOG support in the conntrack file would meet your current needs? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
