On 04/26/2013 06:08 PM, Dash Four wrote: > > > Tom Eastep wrote: >> RC 2 is now available for testing. >> >> This version corrects a problem with INLINE handling in the accounting >> and tcrules files as well as centralizing the validation and >> registration of nfacct object names. >> > I am enclosing another minor (cosmetic) patch - see attached.
Thanks. Applied in a slightly-modified form.
> I also have a question:
>
> Lets assume that I have the following:
>
> actions
> ~~~~~~~
> FLOG
>
> action.FLOG
> ~~~~~~~~~~~
> ?IF $1
> ?SET @chain $2 ? $2 : " "
> ?SET @disposition $3 ? $3 : " "
> LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)
> ?END IF
> ?IF $4
> $4
> ?END IF
>
> rules
> ~~~~~
> SECTION NEW
> FLOG(log,@chain,ACCEPT,ACCEPT) $FW net:+dmz-net
>
> With the above setup, FLOG is not inline and shorewall creates a new
> chain (called FLOG) and then executes everything there. So far, so good.
>
> However, the "@chain" variable, which I passed as a parameter to FLOG is
> *not*, as I expected, set to "fw2net", but assumes a value of "FLOG"
> (the chain in which FLOG executes). It is obvious that shorewall does
> not differentiate between the "@chain" passed as a parameter to a
> specific action in "rules", "blrules" and the like, and the "@chain"
> parameter value inside that action. The two are very different. I
> presume the exact same thing exists with @disposition as well.
>
> Is it possible to get shorewall to recognise the "@chain" variable to
> assume a value of the chain in which the statement occurs ("fw2net" in
> the above case), instead of assuming the value of the chain in which the
> actual action executes?
It's not. @chain cannot be expanded by the pre-processor when it appears
outside of an action body, so it can only be used in very limited
contexts. But I invented a way to accomplish what you want (but I
neglected to document it until this morning).
There is a variable named @caller which expands to the name of the chain
which invoked an action. In an inline action, it expands to the same
thing as @chain. In a non-inlined action, it expands to the name of the
chain that invoked the action.
Please give it a try.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
