> I just recalled that 'all' can't be qualified with an ipset name (or > anything else for that matter). > > Patch attached. > > With this patch: > > - 'all' places the rule in PREROUTING and in OUTPUT > - 'all-' places the rule in PREROUTING > - '$FW' places the rule in OUTPUT > - All of the above can be qualified with ipsets, addresses, etc. The patch works, but there is one *massive* gotcha:
if ipset is used (I assume that would be valid for any other IP address/subnet, ports, protocol values specified there as well) then the rules generated do not flip the src/dst designators around. For example: conntrack ~~~~~~~~~ DROP all:+baddies-set will generate 2 set of iptables statements all showing "baddies-set src" and not, as what seems the more logical thing, create "baddies-set src" for PREROUTING and "baddies-set dst" for OUTPUT, which may not be the initial intention. I seem to remember you had a similar arrangement with the dhcp option in "interfaces" as well as "routestopped". If I were you, I would either change the syntax and make it clearer (perhaps specifying each chain with "O" for OUTPUT, "P" for PREROUTING - similar to what you now have in "secmarks") or keep the existing syntax but place a big, massive warning on the man page, because mistakes such as this would be very easy to make - I know, because that is the first thing I did when tested your patch. ------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
