I've been experimenting with the new zone nesting feature, but I'm
getting nowhere and I'm starting to suspect I expect more from it than
it can deliver.
So my first question is if zone nesting relies on the zones being
subsets of each other on a network level? I.e. host based zones where
the parent zone is a superset of the child zone.
The documentation example is of this type, but it doesn't say that this
is required. I was naively hoping that the CONTINUE policy of a child
zone would result in a -j to the parent zone chain(s) in iptables. But
no such rules are generated, and I can't really find anything in the
code that uses the parent information in a useful way.
My specific case is that I have zones gst,wif and vir, all with their
own interfaces. I have a whole bunch of rules that apply to all three
and I don't want to make a mess of the rules file by having multiple
copies of every rule. So I dug around and found nested zones, which
seemed to fit perfectly.
I have:
zones:
dmz ipv4
gst:dmz ipv4
wif:dmz ipv4
vir:dmz ipv4
interfaces:
gst eth1
wif eth2
vir virt+
policy:
gst all CONTINUE
wif all CONTINUE
vir all CONTINUE
rules:
ACCEPT dmz all tcp ssh
Rgds
--
-- Pierre Ossman
Linux kernel, MMC maintainer http://www.kernel.org
PulseAudio, core developer http://pulseaudio.org
rdesktop, core developer http://www.rdesktop.org
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
