Mail archive
alpine-devel

Re: [alpine-devel] awall - forward to/from same port

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Thu, 27 Sep 2012 10:13:14 +0200

On Wed, 26 Sep 2012 17:10:13 +0300 (EEST)
Kaarle Ritvanen <kaarle.ritvanen_at_datakunkku.fi> wrote:

> On Wed, 26 Sep 2012, Natanael Copa wrote:
>
> > On Tue, 25 Sep 2012 12:34:53 -0500
> > Jeremy Thomerson <jeremy_at_thomersonfamily.com> wrote:
> >> The problem is that awall didn't create a rule in the forward chain
> >> for -i gre1 -o gre1.
> >
> > Not that it means that awall should do the same, but in shorewall
> > you add an option called "routeback" to the interface definition.
>
> Well, we could add similar attribute to zone definitions or just make
> awall always generate such rules. The downside of the latter option
> is that those rules are likely unnecessary in most cases, causing a
> slight penalty in performance. What do you think?

Always generate such rules? No, I'd prefer it be optional and default
off.

Re adding the feature to filter section vs zone definition, I suppose
the benefit with adding it to zone definition is that it would be
slightly easier to make scripts that ports shorewall config to awall.

Would it be possible to support both? So you can do both

"zone": { "T": { "iface": "gre1", "routeback": "true" } }

or:

"zone": { "T": { "iface": "gre1", "options": [ "routeback" ] } }

and:

"filter": [
  { "in": "T", "out": "T", "action": "accept" }
]

As I understand the latter currently don't work.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu Sep 27 2012 - 10:13:14 UTC