> 1) There are now two new sections in the rules file: > > INVALID >[...] > NOTRACK_DISPOSITION > > Valid values are CONTINUE, ACCEPT, DROP, REJECT, A_ACCEPT > and A_DROP. > > The default is CONTINUE, which provides compatibility with > earlier releases (the packets are subject to the rules in > the NEW section). > > NOTRACK_LOG_LEVEL. > > Determines logging of packets handled by > NOTRACK_DISPOSITION. Empty by default (no logging). > 1. Optimise same-jump and same-match rules which have different states:
-A net2fw -m conntrack --ctstate ESTABLISHED -j ACCEPT -A net2fw -m conntrack --ctstate RELATED -j ACCEPT could be optimised to -A net2fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2. INVALID_DISPOSITION: A_REJECT, A_ACCEPT and ACCEPT were accepted by shorewall (no errors were given), though these were ultimately ignored as no iptables rules were produced. At an earlier stage of the testing of this, INVALID_DISPOSITION option seemed to be completely ignored whatever value I specified - if I have "INVALID_DISPOSITION=DROP" in shorewall.conf for example, there was nothing generated with INVALID state match and DROP jump. Unfortunately, I was not able to reproduce this at the later stages. 3. UNTRACKED_DISPOSITION (this is listed as NOTRACK_DISPOSITION in the announcement above, though "shorewall update" converts it and treats it as UNTRACKED_DISPOSITION): CONTINUE works, ACCEPT and A_ACCEPT are ignored completely for whatever reason (I expected -j ACCEPT/A_ACCEPT), A_DROP is accepted and works (this wasn't in the announcement) and A_REJECT is accepted (no syntax error is given), but ultimately no iptables rule is produced. The strangest thing for UNTRACKED_DISPOSITION as well was, that at one stage (at the beginning of the testing) I was able to produce an adequate rule only for some of the chains: I had the appropriate "--cstate UNTRACKED -j <ACTION>" generated for my fw2local and local2fw for example, but not for fw2net and net2fw chains. Again, I was unable to reproduce this later on, unfortunately! 4. "SECTION UNTRACKED" is accepted (while "SECTION NOTRACK" isn't) as a section statement in (at least) "rules" (not that I am complaining as to me it is more intuitive) - "ERROR: Invalid SECTION (NOTRACK)" is shown. 5. Similar to 1. above: if I have exactly the same statements in any two sections in "rules" (say INVALID and UNTRACKED), the chain itself is properly optimised, but the "state" isn't. I get this instead: -A fw2net -m conntrack --ctstate INVALID -j ~comb0 -A fw2net -m conntrack --ctstate UNTRACKED -j ~comb0 That should have been "-A fw2net -m conntrack --ctstate INVALID,UNTRACKED -j ~comb0" ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
