>> The patch works, but there is one *massive* gotcha:
>>
>> if ipset is used (I assume that would be valid for any other IP
>> address/subnet, ports, protocol values specified there as well) then the
>> rules generated do not flip the src/dst designators around. For example:
>>
>> conntrack
>> ~~~~~~~~~
>> DROP all:+baddies-set
>>
>> will generate 2 set of iptables statements all showing "baddies-set src"
>> and not, as what seems the more logical thing, create "baddies-set src"
>> for PREROUTING and "baddies-set dst" for OUTPUT, which may not be the
>> initial intention. I seem to remember you had a similar arrangement with
>> the dhcp option in "interfaces" as well as "routestopped".
>
>
> You need two entries if you want to drop traffic to/from +baddies-set:
>
> DROP all-:+baddies-set -
> DROP all +baddies+set
>
> So I don't see anything broken here except that I need to add an example
> to the manages.
I didn't say that it was, because it isn't.
What I did point out to you is that the use of "all" in particular is not as
straight-forward as it seems, simply because if source/destination designators
are used (either in ipsets, IP addresses or ports) that would be applied in
*both* directions in the connection *without* flipping them around. In other
words, if I use "all:+baddies-set" (assuming this is one-dimensional set) that
would mean match on a source designation ('src' match) in *both* directions of
a particular connection which in 99% of the cases out there wouldn't be desired.
The use of "all-" is not intuitive, unless you can show me how does that relate
to the PREROUTING chain? Same goes for "$FW" too. That is why I suggested to
you that you either allow the OUTPUT and PREROUTING chains to be explicitly
selected - via "O" or "P", or any other, appropriate/suitable/more intuitive
options ("all-", "$FW" doesn't count), in order to avoid this confusion.
Case in point of what I've just written - your example above.
If I find it confusing, and it looks as though the use of "all" and "all-" is
confusing you too (or, at least it isn't as straight-forward to you, to the
point that you can make an easy mistake and cock everything up as you did
above), than how do you think other, less-knowledgeable, shall we say,
shorewall users will find this?
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
