Pierre Ossman wrote:
So my first question is if zone nesting relies on the zones being subsets of each other on a network level? I.e. host based zones where the parent zone is a superset of the child zone.
Yes.
The documentation example is of this type, but it doesn't say that this is required. I was naively hoping that the CONTINUE policy of a child zone would result in a -j to the parent zone chain(s) in iptables. But no such rules are generated, and I can't really find anything in the code that uses the parent information in a useful way.
The 3.x and 4.0 code only use the information to order the zone list.
My specific case is that I have zones gst,wif and vir, all with their own interfaces.
Nested zones do not apply unless you define a super-zone that includes all three interfaces then make that the parent zone of each of the individual zones.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
