On 01/06/2013 10:55 AM, Tom Eastep wrote: >> 4.2 >> >> rules >> ~~~~~ >> SECTION RELATED >> >> # local >> ACCEPT $FW local icmp destination-unreachable >> LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence) $FW local >> ACCEPT:NFLOG(1,0,1) $FW local >> ACCEPT local $FW icmp destination-unreachable >> LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence) local $FW >> ACCEPT:NFLOG(1,0,1) local $FW >> >> translates to: >> >> -A fw2local -p 1 --icmp-type 3 -m conntrack --ctstate RELATED -j ACCEPT >> -A fw2local -m conntrack --ctstate RELATED -j LOG --log-uid >> --log-tcp-options --log-ip-options --log-macdecode --log-tcp-sequence >> --log-level 6 --log-prefix "Shorewall:fw2local:LOG:" >> -A fw2local -m conntrack --ctstate RELATED -g ~log0 >> -A fw2local -m conntrack --ctstate RELATED -g A_DROP >> [...] >> -A local2fw -p 1 --icmp-type 3 -m conntrack --ctstate RELATED -j ACCEPT >> -A local2fw -m conntrack --ctstate RELATED -j LOG --log-uid >> --log-tcp-options --log-ip-options --log-macdecode --log-tcp-sequence >> --log-level 6 --log-prefix "Shorewall:local2fw:LOG:" >> -A local2fw -m conntrack --ctstate RELATED -g ~log1 >> -A local2fw -m conntrack --ctstate RELATED -g A_DROP >> [...] >> -A ~log0 -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1 >> --nflog-prefix "Shorewall:fw2local:ACCEPT:" >> -A ~log0 -j ACCEPT >> -A ~log1 -j NFLOG --nflog-group 1 --nflog-range 0 --nflog-threshold 1 >> --nflog-prefix "Shorewall:local2fw:ACCEPT:" >> -A ~log1 -j ACCEPT >> >> As evident, "--cstate RELATED" optimisation is non-existent! > > You're right. > >> All of the above statements for each group (fw2local and local2fw) could be >> combined into a chain with a single "--cstate RELATED" match. > > The right thing to do here is to generate a separate chain as was done > in the now-extinct BLACKLIST section. That results in only one STATE > test. Also added to the wish list.
This will be in Beta 4. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
