On 4/11/13 7:47 PM, "Mr Dash Four" <mr.dash.f...@googlemail.com> wrote:
> >>> If you can't find an easy solution to this, not to worry - I could >>> always include the entire rule after ";" and leave the bare minimum >>> (<src> and <dst>) on the left side of ";". I am not sure how this would >>> impact the optimiser though. >>> >> >> The only possible issue will be multiple instances of the same match. >> >You mean multiple instances after ";" or on both sides of ";"? Either >way, I would say shorewall have done a pretty good job of sanitising >various silly combinations/scenarios, so allowing for multiple matches >(which was expected any way, given the nature of INLINE) isn't really a >big deal I would think. The part of the compiler that understands iptables doesn't know what is before ';' and after; it sees one long rule. > >>> 6. >>> rules >>> ~~~~~ >>> INLINE $FW:10.1.1.1 net:+mickey-mouse ; ! -m mickey-mouse --name test2 >>> >>> produces >>> >>> -A fw2net -s 10.1.1.1 -m mickey-mouse ! --name test2 -m set --match-set >>> mickey-mouse dst >>> >>> I presume the "!" will mess things up if I try other such combinations, >>> so I am not fully testing this for the time being. >>> >> >> The compiler actually did the 'right' thing there, even though what you >> entered was not valid iptables syntax. >> >Yeah, I realised that as soon as I reported it. Shorewall should have at >least warned me though. I don't think so. Remember that you are responsible for what follows the ';' > >>> One query: are parameters accepted in the bit after ";"? Something like >>> "INLINE $FW net ; ! -m my-owner --owner $MY_UID -j DROP"? >>> >> >> Yes. >> >Yep, that was just tested as well. I'll do a little more testing >tomorrow during the day (it's my day off, so I will have more time then) >and report back if I find anything. Cool. I'll be out of town this weekend (leaving at noon tomorrow). I'll check in and probably do a bit of work but my weekend is aimed at tasting good wine while eating good food :-) -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
