Tom Eastep wrote: > On 04/16/2013 03:13 PM, Dash Four wrote: > >>> When multiple matches are specified, the compiler will keep them in >>> the order in which they appear, but they will not necessarily be at >>> the end of the generated rule. For example, if addresses are >>> specified in the SOURCE and/or DEST columns, their generated matches >>> will appear after those specified using ';'. >>> >>> >> rules >> ~~~~~ >> INLINE $FW net ; -m mickey-mouse --name test -p 6 -m set --match-set >> set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 >> >> generates >> >> -A fw2net -p 6 -m mickey-mouse --name test -m mickey-mouse --name test2 >> -m set --match-set set1 -j SECCTX --name test3 >> > > That needs a documentation change. > > Some background: > > Keeping the rule in textual form is problematic for optimization. So the > compiler defines an internal form for rules based on a Perl hash > (associative array). Parts of the compiler generate the internal form > natively, but most of the code that parses user-defined files generates > the rule textually before converting it to the native form. > > When the iptables-restore input is being generated, each of the rules > must be converted back into text. To provide a degree of predictability > and to localize cache references at runtime, internal->text conversion > handles some matches explicitly in this order: > > p > dport > sport > icmp-type > icmpv6-type > s > d > i > o > policy > state or conntrack --ctstate > > So those options, if they are present, are always in the above fixed order. > > The remainder are now output in the order in which they were added to > the rule. > Even if I do this:
INLINE $FW net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3 that still generates -A fw2net -p 6 -m mickey-mouse --name test -m mickey-mouse --name test2 -m set --match-set set1 -j SECCTX --name test3 Note the "displacement" of the "set" match - position 2 in "rules", position 3 in the generated iptables rules. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
