> Done. > Do you have a patch or new rpm for me to test? >> 2. Currently there is no ability to add comments in secmarks - it would >> be nice if I could do that as is the case with the rules file (I am not >> sure if the Shorewall adds comments automatically in secmarks as is the >> case with the rules file - when common port numbers are used for example). >> > > COMMENT is supported in the secmarks file. See > http://www.shorewall.net/configuration_file_basics.html#COMMENT > That link is getting me nowhere! I presume you meant http://www.shorewall.net/configuration_file_basics.htm#Comments which isn't what I really meant in my previous post, but this:
COMMENT the rest of the line will be attached as a comment to the Netfilter rule(s) generated by the following entries. The comment will appear delimited by "/* ... */" in the output of "shorewall show <chain>". To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. In other words, COMMENT the command as is in the rules file - as pointed out in my previous post. >> 4. CONNSECMARK - that was a true eye opener for me!!! >> >> >> > So exactly what are you pushing for? > Instead of manually adding "SAVE I:N", "SAVE O:N" and then "RESTORE I:ER", "RESTORE O:ER" etc. at the end of each chain (as this would be the most efficient way of dealing with SELinux contexts once they are established) it would be nice if these things are 'optimised' and added automatically by Shorewall when an appropriate option is turned on in shorewall.conf (like "AUTO_CONNSECMARK=Yes" for example) so that I do not have to put these manually. As I already pointed out - in vast majority of cases SAVE and RESTORE would make sense to be placed in the above form at the end of each chain so that they take care of preserving and restoring SELinux contexts in connections, so why not add them automatically? >> 6. Finally, two minor bits, which I am sure will be ironed out by the >> time the new version of Shorewall is released - it would be good to have >> a 'sample' secmarks file in the distribution and all man-pages (except >> shorewall-secmarks) need to reference shorewall-secmarks as is done with >> all the other sections of the manual. >> > > That's not going to happen either. > What isn't going to happen - a new Shorewall version?! Sample files, more like templates really (like empty rules, interfaces and many other files) are provided as part of the Shorewall distribution, so I do not see why including an empty template secmarks file in the final Shorewall distribution is proving to be such a major headache? As for the man pages - at the end of each man page there is reference to all other shorewall-* man pages, so I thought it would make sense to include shorewall-secmarks in that list, that's all. Don't see why this is proving to be such a problem, but guessing by your rant below you couldn't be arsed - fair enough. > <rant> This is basically a one-man project. I get excellent help from a > group of people that produce packages for various distributions and that > help with support. But I produce almost all of the code and > documentation. And writing code is about 20% of my time spent on > Shorewall; the rest is support, writing documentation, and answering > posts like yours. > </rant> > Your point being? Soon after I started this thread I agreed to do the testing of SECMARK and CONNSECMARK - a new set of features for YOUR Shorewall Beta4 - and provide YOU with feedback. This is precisely what I have been doing for the past couple of days (and yes, you are not the only one who is "spending time on Shorewall" and "answering posts"), so if you have a problem with that (or me for that matter) just let me know and you won't need to "answer posts like mine" any more. Simple as really. ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
