On 5/8/11 5:54 PM, Mr Dash Four wrote: > > >>> My point is that if a class is defined for a particular interface (as is >>> "a:11" in my case for eth0) this will ever produce only one match and >>> that is when this interface is involved, isn't that so? >>> >> >> No -- it will match traffic going to 10.1.1.1 out of *any* inteface. It >> will only be useful if the traffic is going out of eth0. Attached is a >> patch that interprets this rule: >> >> a:11 - 10.1.1.1 tcp 22 >> >> as >> >> a:11 - eth0:10.1.1.1 tcp 22 >> >> (assuming that eth0 == device a). >> > Am I likely to face similar issues with tcfilters? > > Same scenario: > > tcfilters > ba:11 10.1.1.1 - tcp 22 > bb:21 10.1.1.1 - tcp 22 > > (ba is the ifb0 device derived from eth0, bb is the ifb1 device derived > from tun0). Should I assume that packets would get properly "redirected" > to the interface that class belongs to?
In tcfilters, Shorewall uses the first column (classid) to pick the interface to attach the filter to. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
