> rules > ~~~~~ > SECTION NEW > New(...) ... > ... > > The above produces extra "--cstate NEW" match which isn't necessary and > should be removed as is the case with the rest of the statements in that > section. The same is valid if I use something like "New(IELOG(...))" - all > "--cstate NEW" matches, including to the ones in the inline action should be > removed. > > Also, I can't see using New(...) anywhere else making much sense with the > exception of may be blrules and only in case where BLACKLIST=NEW,... That is now fixed.
> Another 2 issues: > > 1. > > rules > ~~~~~ > SECTION NEW > New(dropInvalid) $FW net > > produces: > > -A fw2net -m conntrack --ctstate NEW -m conntrack --ctstate INVALID -j DROP This one is gone as well. It is interesting that when I use "New(ELOG(,fw2NeT,2)) $FW net" that works as expected (as oppose to "Related(ELOG(,fw2NeT,2)) $FW net" in "SECTION RELATED" - see my previous post). > 2. > > shorewall.conf > ~~~~~~~~~~~~~~ > BLACKLIST="NEW,UNTRACKED" > > blrules > ~~~~~~~ > New(dropInvalid) $FW net > dropInvalid $FW net > > produces: > > -A fw2net~ -m conntrack --ctstate NEW -m conntrack --ctstate INVALID -j DROP > -A fw2net~ -m conntrack --ctstate INVALID -j DROP > > > Obviously, the "INVALID" rules should have been dropped. This issue has also been fixed. However: shorewall.conf ~~~~~~~~~~~~~~ BLACKLIST="NEW,UNTRACKED" blrules ~~~~~~~ New(dropInvalid) $FW net dropInvalid $FW net WHITELIST $FW:+whitelist net <EOF> produces: -A fw2net -m conntrack --ctstate NEW,UNTRACKED -j fw2net~ [...] -A fw2net~ -m set --match-set whitelist dst -j RETURN In other words the single RETURN isn't optimised away. When I have: blrules ~~~~~~~ WHITELIST $FW:+whitelist net <EOF> that blacklist chain *is* optimised properly and the single RETURN is gone. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
