> Note that when 'whitelist' is given, the BLACKLIST_LOGLEVEL setting is > ignored and the packet/connection is silently passed on to the > rules/policies. Are there any opinions, one way or the other, on that > behavior? > I am uncertain on what that means?
The behaviour I would expect from a 'whitelist' entries (either via the "w:" or with the "whitelist" option specified) is that control is returned to the first iptables statement after the blacklst/blackout chains, provided there is a "whitelist" match (whether by the inclusion - or exclusion - of ipset, or by any other means). Your patch is actually better than my hack as it provides positioning - in other words, I could have certain (blacklisted entries) checks performed and then get a whitelist entry match: +whitelist1 +blacklist1 +blacklist2 +whitelist2 +blacklist3 +whitelist3 The above, if I understood your patch correctly, will return, unconditionally, if there is a whitelist1 match (this is what my hack currently does). It will then check for entries in blacklist1 and 2 and if there is still not a match it will check whitelist2 and return if there is a match (it won't check blacklist3!). It will finally check blacklist3, whereas whitelist3 is completely meaningless as it is the last statement, but could be used for other purposes. ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
