Hi Tom,
iptables/netfilter allows us to match based on a device group and the net
devices can be added or removed from a device group like below:
ip link set dev eth0 group 42
ip link set dev eth1 group 42
ip link show group 42
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP mode DEFAULT group notrack_interfaces qlen 1000
link/ether 00:0c:29:a1:3f:ce brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP mode DEFAULT group notrack_interfaces qlen 1000
link/ether 00:0c:29:a1:3f:d8 brd ff:ff:ff:ff:ff:ff
Now this can be used to match a dev group like below:
iptables -t raw -I PREROUTING 1 -m devgroup --src-group 42 -j CT --notrack
iptables -t raw -I OUTPUT 1 -m devgroup --dst-group 42 -j CT --notrack
Can this be achieved using Shorewall, if possible?, can you please share an
example.
Thanks,
Naveen
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
