Tom Eastep wrote: > Brian J. Murrell wrote: >> On Sat, 2008-03-29 at 22:39 -0700, Tom Eastep wrote: >>> Sure -- same solution that has always been available. Start Shorewall >>> before you start networking. >> >> Yes, but... >> >>> Of course you can't use any of Shorewall's features that rely on >>> detecting the current network configuration... >> >> Right. I was thinking/hoping for a solution that was more elegant. >> Such as I suggested perhaps... preventing packets from hitting the >> conntrack state engine before the nat rules were set up. >> >> Is it technically impossible to do that with iptables? I've never >> really played much with module loading order and dependencies of >> iptables. > > As long as you bring up networking before Shorewall, there is not a > thing that Shorewall can do to solve this problem. So you get to solve > this one yourself. > > Check out the 'raw' table and the NOTRACK target; you might be able to > avoid tracking any traffic until the Shorewall-generated script runs if > you configure appropriate NOTRACK rules before bringing up networking. > > -Tom
Since modprobe is run twice for a (re)start, once for detecting capabilities, then again with the compiled script without ill effects to shorewall, could you not load x_tables, ip_tables, and iptable_filter (in that order, did I forget any?). That should be enough to have the filter table loaded, then use the posted script before you start the network. Shorewall is going to flush the tables anyway right? Just a thought, Jerry ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
