On 11/21/12 6:19 PM, "Mr Dash Four" <mr.dash.f...@googlemail.com> wrote:
>
>> I just recalled that 'all' can't be qualified with an ipset name (or
>> anything else for that matter).
>>
>> Patch attached.
>>
>> With this patch:
>>
>> - 'all' places the rule in PREROUTING and in OUTPUT
>> - 'all-' places the rule in PREROUTING
>> - '$FW' places the rule in OUTPUT
>> - All of the above can be qualified with ipsets, addresses, etc.
>The patch works, but there is one *massive* gotcha:
>
>if ipset is used (I assume that would be valid for any other IP
>address/subnet, ports, protocol values specified there as well) then the
>rules generated do not flip the src/dst designators around. For example:
>
>conntrack
>~~~~~~~~~
>DROP all:+baddies-set
>
>will generate 2 set of iptables statements all showing "baddies-set src"
>and not, as what seems the more logical thing, create "baddies-set src"
>for PREROUTING and "baddies-set dst" for OUTPUT, which may not be the
>initial intention. I seem to remember you had a similar arrangement with
>the dhcp option in "interfaces" as well as "routestopped".
You need two entries if you want to drop traffic to/from +baddies-set:
DROP all-:+baddies-set -
DROP all +baddies+set
So I don't see anything broken here except that I need to add an example
to the manages.
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
