On 04/16/2013 03:13 PM, Dash Four wrote: > >> When multiple matches are specified, the compiler will keep them in >> the order in which they appear, but they will not necessarily be at >> the end of the generated rule. For example, if addresses are >> specified in the SOURCE and/or DEST columns, their generated matches >> will appear after those specified using ';'. >> > rules > ~~~~~ > INLINE $FW net ; -m mickey-mouse --name test -p 6 -m set --match-set > set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 > > generates > > -A fw2net -p 6 -m mickey-mouse --name test -m mickey-mouse --name test2 > -m set --match-set set1 -j SECCTX --name test3
That needs a documentation change. Some background: Keeping the rule in textual form is problematic for optimization. So the compiler defines an internal form for rules based on a Perl hash (associative array). Parts of the compiler generate the internal form natively, but most of the code that parses user-defined files generates the rule textually before converting it to the native form. When the iptables-restore input is being generated, each of the rules must be converted back into text. To provide a degree of predictability and to localize cache references at runtime, internal->text conversion handles some matches explicitly in this order: p dport sport icmp-type icmpv6-type s d i o policy state or conntrack --ctstate So those options, if they are present, are always in the above fixed order. The remainder are now output in the order in which they were added to the rule. > >> As part of this change, a new 'builtin' action type has been added. >> ip[6]tables targets not supported by Shorewall (such as 'SECCTX' in >> the example above), must be defined in your >> /etc/shorewall[6]/actions file: >> >> Example: >> >> SECCTX builtin >> > That now works and error is issued when "SECCTX" is not in actions. > Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
