Tom Eastep wrote: > On 4/11/13 7:47 PM, "Mr Dash Four" <mr.dash.f...@googlemail.com> wrote: > > >>>> If you can't find an easy solution to this, not to worry - I could >>>> always include the entire rule after ";" and leave the bare minimum >>>> (<src> and <dst>) on the left side of ";". I am not sure how this would >>>> impact the optimiser though. >>>> >>>> >>> The only possible issue will be multiple instances of the same match. >>> >>> >> You mean multiple instances after ";" or on both sides of ";"? Either >> way, I would say shorewall have done a pretty good job of sanitising >> various silly combinations/scenarios, so allowing for multiple matches >> (which was expected any way, given the nature of INLINE) isn't really a >> big deal I would think. >> > > The part of the compiler that understands iptables doesn't know what is > before ';' and after; it sees one long rule. > OK, apologies for this late reply, but I was "held up" with a few other issues. As far as this Beta goes though, the only issue which remains (at least from my point anyway) is that even if I tuck in everything after the ";" sign, shorewall still rearranges it:
rules ~~~~~ INLINE $FW net ; -m mickey-mouse --name test -m set --match-set test src -m mickey-mouse --name test2 -j SECCTX produces -A fw2net -m mickey-mouse --name test -m mickey-mouse --name test2 -m set --match-set test src -j SECCTX ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
