Pierre Ossman wrote: > I've been experimenting with the new zone nesting feature, but I'm > getting nowhere and I'm starting to suspect I expect more from it than > it can deliver. > > So my first question is if zone nesting relies on the zones being > subsets of each other on a network level? I.e. host based zones where > the parent zone is a superset of the child zone. > > The documentation example is of this type, but it doesn't say that this > is required. I was naively hoping that the CONTINUE policy of a child > zone would result in a -j to the parent zone chain(s) in iptables. But > no such rules are generated, and I can't really find anything in the > code that uses the parent information in a useful way. > > My specific case is that I have zones gst,wif and vir, all with their > own interfaces. I have a whole bunch of rules that apply to all three > and I don't want to make a mess of the rules file by having multiple > copies of every rule. So I dug around and found nested zones, which > seemed to fit perfectly. > > I have: > > zones: > > dmz ipv4 > > gst:dmz ipv4 > wif:dmz ipv4 > vir:dmz ipv4 > > interfaces: > > gst eth1 > wif eth2 > vir virt+ > A shorewall dump would be helpful here. Most of the time when nested-zones are needed, it is with the same interface and different sub-zones on the same interface, you would need the hosts file to define that. You are doing the reverse here, each interface is a sub-zone of the parent (dmz) zone. I have never tried this but I think you may have to use gst:dmz wif:dmz vir:dmz here to define the membership to the parent (dmz) zone.
> policy: > > gst all CONTINUE > wif all CONTINUE > vir all CONTINUE > > rules: > > ACCEPT dmz all tcp ssh > > Rgds Well I tried the above syntax in the interfaces file, it didn't give me an error and the jumps look right to me. YMMV Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
