Re: [Shorewall-devel] 'inline' iptables statements

Mon, 08 Apr 2013 17:49:43 -0700 

On 4/8/13 8:01 AM, "Mr Dash Four" <mr.dash.f...@googlemail.com> wrote:

>
>> I was thinking about that as well, and it would indeed be easier.
>>
>> How about this:
>>
>> ACCEPT <src> <dst> ; MATCH -m <match 1> -m <match 2> ...
>>
>> The preprocessor already looks for ';' and the MATCH keyword would
>> trigger the new interpretation of the text that follows.
>>   
>Yep, I agree, though the 'MATCH' word may not be present at all, so the
>trigger, if you like, could be the 'INLINE' keyword, i.e.:
>
>INLINE <src> <dst> ; ... (see my next comment).
>
>> I would prefer to keep the rule target (the '-j ...' part) in the ACTION
>> column if possible.
>>   
>Nope, that would prevent me from using custom-made targets (something
>like '-j SECCTX --name <name>' for example).

Okay -- I've implemented the following:

3)  A new INLINE action has been added. This action allows defining
   arbitrary iptables rules in the blrules and rules files, as well as
   in action and macro bodies.

   The basic form of an INLINE rule is as follows:

      INLINE    <src> <dst> <proto> ... ; <iptables matches and jump>

   Example:

      INLINE  $FW   all   tcp   1234  ; -j SETCTX --name foo

   As part of this change, a new 'builtin' action type has been added.
   ip[6]tables actions not supported by Shorewall (such as 'SETCTX' in
   the example above), must be defined in your
   /etc/shorewall[6]/actions file.

   Example:

      SETCTX    builtin


Is this what you had in mind?

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to