On 02/02/2013 05:59 PM, Mr Dash Four wrote: > >> Crap -- wonder how that made it out the door. >> >> Removing this line from the failing actions will correct that >> issue: >> >> use Shorewall::Rules qw( process_rule1 ); > It does, though there is another issue: > > rules ~~~~~ SECTION RELATED Related(ELOG(-,fw2NeT,2)) $FW net > > produces: > > -A +fw2net -m conntrack --ctstate RELATED -j ELOG > > "--cstate RELATED" match can be optimised away (it is not needed > since the +fw2net chain has that match already). The "inline" > equivalent of ELOG (IELOG) produces 2 additional RELATED matches (for > each statement of that action) as well, but I suspect you already > know that. I also suspect the situation will be the same if I use > Established in the ESTABLISHED section, Untracked in the UNTRACKED > section and Invalid in the INVALID section.
All of that is corrected in my current tree. > >> So you believe that the compiler should somehow ignore 'inline' >> and treat the action as if it were not inlined? > Yeah, getting ahead of myself. You are right there. > >> Again, optimization and detection of non-matching states will be >> left for another release. > Fair enough, as long as I am aware of these deficiencies it is all > fine by me. As I mentioned in a later post yesterday, I've been able to do some work in that area for this release. > >> >>> The second problem is this: >>> >>> rules ~~~~~ SECTION RELATED IELOG(-,fw2NeT,2) >>> Invalid(IELOG(-,fw2NeT,2)) $FW net >>> >>> produces: >>> >>> -A +fw2net -m conntrack -j LOG --log-tcp-options --log-ip-options >>> --log-macdecode --log-tcp-sequence --log-uid --log-level 6 >>> --log-prefix "Shorewall:fw2NeT::" -A +fw2net -m conntrack -j >>> NFLOG --nflog-group 2 --nflog-range 0 --nflog-threshold 1 >>> --nflog-prefix "Shorewall:fw2NeT::" >>> >>> In other words, not even a hint of "--cstate INVALID" (it could >>> have been "optimised away" by mistake). In general, if the action >>> above Invalid seems to be inline, the whole "Invalid(...)" >>> statement seems to be totally ignored. > Anything on this? I posted a patch yesterday. Cheers, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
