> Patch attached. Note that it removes A_ACCEPT and ACCEPT from the > possible choices for INVALID_DISPOSITION (which is as documented). A_REJECT is allowed (rightly so!) - all you need is to amend the original announcement as A_REJECT wasn't included there. Another query: out of interest, why do you use "-g A_X" (X=DROP,REJECT) and not a regular jump - what is there to be gained by that?
>> 3. UNTRACKED_DISPOSITION (this is listed as NOTRACK_DISPOSITION in >> the announcement above, though "shorewall update" converts it and >> treats it as UNTRACKED_DISPOSITION): CONTINUE works, ACCEPT and >> A_ACCEPT are ignored completely for whatever reason (I expected -j >> ACCEPT/A_ACCEPT), A_DROP is accepted and works (this wasn't in the >> announcement) and A_REJECT is accepted (no syntax error is given), >> but ultimately no iptables rule is produced. > > The attached patch should correct that problem as well. ACCEPT is still ignored, A_ACCEPT is, this time, correctly handled and so are the rest of the built-in actions (you need to amend you original announcement to include A_REJECT). >> -A fw2net -m conntrack --ctstate INVALID -j ~comb0 >> -A fw2net -m conntrack --ctstate UNTRACKED -j ~comb0 >> >> That should have been "-A fw2net -m conntrack --ctstate >> INVALID,UNTRACKED -j ~comb0" >> > > That's an even harder case for the compiler to detect. The way I see it, if the jump target is the same all you have to do is check for different states and combine them if that is the case and if there are no additional matches (this would obviously require another pass to check for "comb0" as this, I assume, was produced by the optimizer). ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
