On 22/04/2012 18:17, Tom Eastep wrote: > > Sent from my iPad > > On Apr 22, 2012, at 10:05 AM, Ed W<[email protected]> wrote: > >> On 22/04/2012 17:22, Tom Eastep wrote: >>> Reject traffic going out of an interface if it doesn't have the correct >>> mark. >> Seems too obvious... >> >> I'm just trying now. I really want to write this: >> >> DROP:info any !net:eth0 - - >> - - - - 0x10000/0xF0000 >> >> But I can't negate a destination right? > Invert the test! >
I don't see how? Note, some connections will have no mark at all (so they route through the main table). If I literally invert the test above I will drop connections with mark 0x20000 and with mark 0 (but we want to keep these) I am using an action with two continues and a drop, something like: CONTINUE:info - - - - - - - - 0x0/0xFF0000 CONTINUE:info - - - - - - - - - DROP:info I think this implements the correct behaviour (obviously setting src/dest/mark in the action call) Am I missing something simpler? Many thanks Ed W ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
