On 4/22/12 11:39 AM, Ed W wrote: > On 22/04/2012 18:17, Tom Eastep wrote: >> >> Sent from my iPad >> >> On Apr 22, 2012, at 10:05 AM, Ed W<[email protected]> wrote: >> >>> On 22/04/2012 17:22, Tom Eastep wrote: >>>> Reject traffic going out of an interface if it doesn't have the correct >>>> mark. >>> Seems too obvious... >>> >>> I'm just trying now. I really want to write this: >>> >>> DROP:info any !net:eth0 - - >>> - - - - 0x10000/0xF0000 >>> >>> But I can't negate a destination right? >> Invert the test! >> > > I don't see how? Note, some connections will have no mark at all (so > they route through the main table). If I literally invert the test > above I will drop connections with mark 0x20000 and with mark 0 (but we > want to keep these) > > I am using an action with two continues and a drop, something like: > > CONTINUE:info - - - - > - - - - 0x0/0xFF0000 > CONTINUE:info - - - - > - - - - - > DROP:info > > I think this implements the correct behaviour (obviously setting > src/dest/mark in the action call)
I don't see how those particular rules can work but I agree that if you want to pass A and B on to the following rules and drop the rest then you need to use an Action with at least two rules. The first is a CONTINUE if A. The second is a DROP if not B. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
