Bill,
On 12/23/2015 2:21 AM, Bill Shirley wrote:
> I have a rule to add addresses to an ipset defined:
> ipset -exist create IpPort3600 hash:ip,port timeout 3600
> ipset -exist create IpOneDay hash:ip timeout 86400
>
> in /etc/shorewall/rules:
> ADD(+IpPort3600:src,dst):notice:ADD,IpPort3600 inet fw tcp,udp domain
> ADD(+IpOneDay:src):info:ADD,IpOneDay inet fw tcp mysql
>
> My suggestion is to allow ADD to specify a timeout value:
> ADD(+IpPort3600:src,dst,@600):notice:ADD,IpPort3600 inet fw
> tcp,udp domain
> and thus set a 10 minute timeout(600) instead of the default one hour
> timeout(3600).
>
> Also:
> ADD(+IpOneDay:src,@14400):info:ADD,IpOneDay,14400 inet fw tcp
> mysql
I've implemented it as:
ADD(<set>:<flags>[:<timeout>]).
I'm unclear, however, what you are trying to do with the log tag. If
LOGTAGONLY=No, then with no tag specified in the rule, your rule will
have a log prefix of
": inet-fw ADD(+IpOneDay:src:14400)"
which will get truncated.
With LOGTAGONLY=Yes and a simple one-line change in the compiler, if you
use this ACTION:
ADD(IpOneDay:src:14400):info:,ADD,IpOneDay,14400
(note that the tag begins with a comma), the log prefix will be
: inet_fw ADD,IpOneDay,14400
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
