Paul Gear wrote: > > Would you be open to a patch for this? Before the 4.0.0 release? > Pretty please? :-) >
Hi Paul, I'll be open to a patch after 4.0.0 is released and will happily include it in 4.0.1 or 4.0.2. I don't plan another 4.0.0 release candidate since there have been no RC2 problems reported to date (in fact, SVN has already been updated with version "4.0.0"). And even if I were to have another RC, it rather stretches the concept of "release candidate" if an RC introduces features not included in the prior one. So I mark the release of RC1 as the feature freeze point. Additionally, I don't think the patch is a trivial one. If EXPAND_POLICIES is specified, the flow of the bottom half of the 'while ( read_a_line )' block in validate_policy() needs to be rather different. The current code focuses on the single 'all2...' or '...2all' policy chain[1], and applies that policy chain to canonical chains[2] as appropriate. With EXPAND_POLICIES, you want to: - designate all of those canonical chains as their own policy chain ( if they aren't already) - apply the appropriate log level, default action, and syn params to the canonical chain (again, if it wasn't a policy chain already). - avoid creating the 'all2...' or '...2all' policy chain at all. You still want the 'all2...'/'...2all' entry in the chain table though so that complete_standard_chain() can apply the most appropriate policy for INPUT, OUTPUT and FORWARD. The chains should not be listed in the @policy_chains array. Cheers, -Tom [1] - 'Policy chain' is the chain that applies a given policy. Beware that in some of the comments in the source, 'Policy chain' can mean an 'all2...' or '...2all' chain only (although I think such usage is more common in the shorewall-shell source than in the shorewall-perl source). [2] - Canonical chain is the 'z12z2' chain that handles traffic from zone z1 to zone z2. Each canonical chain has an associated policy chain (which may be the canonical chain itself) except when the policy is ACCEPT, NONE or CONTINUE. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
