On 05/18/2011 08:14 AM, Mr Dash Four wrote: > >> Note that when 'whitelist' is given, the BLACKLIST_LOGLEVEL setting is >> ignored and the packet/connection is silently passed on to the >> rules/policies. Are there any opinions, one way or the other, on that >> behavior? >> > I am uncertain on what that means? > > The behaviour I would expect from a 'whitelist' entries (either via the > "w:" or with the "whitelist" option specified) is that control is > returned to the first iptables statement after the blacklst/blackout > chains, provided there is a "whitelist" match (whether by the inclusion > - or exclusion - of ipset, or by any other means).
That's what my patch does. > Your patch is actually better than my hack as it provides positioning > - in other words, I could have certain (blacklisted entries) checks > performed and then get a whitelist entry match: > > +whitelist1 > +blacklist1 > +blacklist2 > +whitelist2 > +blacklist3 > +whitelist3 > > The above, if I understood your patch correctly, will return, > unconditionally, if there is a whitelist1 match (this is what my hack > currently does). It will then check for entries in blacklist1 and 2 and > if there is still not a match it will check whitelist2 and return if > there is a match (it won't check blacklist3!). It will finally check > blacklist3, whereas whitelist3 is completely meaningless as it is the > last statement, but could be used for other purposes. Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
