On 02/02/2013 05:59 PM, Mr Dash Four wrote: > > >> Patch attached. Note that it removes A_ACCEPT and ACCEPT from the >> possible choices for INVALID_DISPOSITION (which is as documented). > A_REJECT is allowed (rightly so!) - all you need is to amend the > original announcement as A_REJECT wasn't included there. Another > query: out of interest, why do you use "-g A_X" (X=DROP,REJECT) and > not a regular jump - what is there to be gained by that? > >>> 3. UNTRACKED_DISPOSITION (this is listed as NOTRACK_DISPOSITION >>> in the announcement above, though "shorewall update" converts it >>> and treats it as UNTRACKED_DISPOSITION): CONTINUE works, ACCEPT >>> and A_ACCEPT are ignored completely for whatever reason (I >>> expected -j ACCEPT/A_ACCEPT), A_DROP is accepted and works (this >>> wasn't in the announcement) and A_REJECT is accepted (no syntax >>> error is given), but ultimately no iptables rule is produced. >> >> The attached patch should correct that problem as well. > > ACCEPT is still ignored, A_ACCEPT is, this time, correctly handled > and so are the rest of the built-in actions (you need to amend you > original announcement to include A_REJECT). > > >>> -A fw2net -m conntrack --ctstate INVALID -j ~comb0 -A fw2net -m >>> conntrack --ctstate UNTRACKED -j ~comb0 >>> >>> That should have been "-A fw2net -m conntrack --ctstate >>> INVALID,UNTRACKED -j ~comb0" >>> >> >> That's an even harder case for the compiler to detect. > The way I see it, if the jump target is the same all you have to do > is check for different states and combine them if that is the case > and if there are no additional matches (this would obviously require > another pass to check for "comb0" as this, I assume, was produced by > the optimizer).
Yep -- Optimize level 16 currently does something similar by combining adjacent rules that are identical except for port number(s). I would have to do something similar for conntrack state. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
