On 4/8/13 5:48 PM, "Tom Eastep" <teas...@shorewall.net> wrote:
>On 4/8/13 8:01 AM, "Mr Dash Four" <mr.dash.f...@googlemail.com> wrote: > >> >>> I was thinking about that as well, and it would indeed be easier. >>> >>> How about this: >>> >>> ACCEPT <src> <dst> ; MATCH -m <match 1> -m <match 2> ... >>> >>> The preprocessor already looks for ';' and the MATCH keyword would >>> trigger the new interpretation of the text that follows. >>> >>Yep, I agree, though the 'MATCH' word may not be present at all, so the >>trigger, if you like, could be the 'INLINE' keyword, i.e.: >> >>INLINE <src> <dst> ; ... (see my next comment). >> >>> I would prefer to keep the rule target (the '-j ...' part) in the >>>ACTION >>> column if possible. >>> >>Nope, that would prevent me from using custom-made targets (something >>like '-j SECCTX --name <name>' for example). > >Okay -- I've implemented the following: > >3) A new INLINE action has been added. This action allows defining > arbitrary iptables rules in the blrules and rules files, as well as > in action and macro bodies. > > The basic form of an INLINE rule is as follows: > > INLINE <src> <dst> <proto> ... ; <iptables matches and jump> > > Example: > > INLINE $FW all tcp 1234 ; -j SETCTX --name foo > > As part of this change, a new 'builtin' action type has been added. > ip[6]tables actions not supported by Shorewall (such as 'SETCTX' in > the example above), must be defined in your > /etc/shorewall[6]/actions file. > > Example: > > SETCTX builtin > > >Is this what you had in mind? BTW, with OPTIMIZE=31, the following rules are generated in my configuration: -A fw-dmz -p 6 --dport 1234 -j SETCTX --name foo -A fw-loc -p 6 --dport 1234 -j SETCTX --name foo -A fw-net -p 6 --dport 1234 -j SETCTX --name foo -A fw-smc -p 6 --dport 1234 -j SETCTX --name foo -A fw-vpn -p 6 --dport 1234 -j SETCTX --name foo -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
