X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from ncopa-desktop.nor.wtbts.net (3.203.202.84.customer.cdi.no [84.202.203.3])
	(using SSLv3 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: nc@alpinelinux.org)
	by mail.alpinelinux.org (Postfix) with ESMTPSA id DE3EADC36F5;
	Thu, 27 Sep 2012 08:13:17 +0000 (UTC)
Date: Thu, 27 Sep 2012 10:13:14 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Cc: "jeremy@thomersonfamily.com" <jeremy@thomersonfamily.com>, Alpine-devel
 <alpine-devel@lists.alpinelinux.org>
Subject: Re: [alpine-devel] awall - forward to/from same port
Message-ID: <20120927101314.65e3bcf1@ncopa-desktop.nor.wtbts.net>
In-Reply-To: <alpine.LFD.2.02.1209261704360.5933@kunkku.net>
References: <CADVmKVB+6-FzXoX-t8jxgOjpCRN4Dv=xeX8vYvqjw1jsi8kRRg@mail.gmail.com>
	<20120926090749.4523d331@ncopa-desktop.nor.wtbts.net>
	<alpine.LFD.2.02.1209261704360.5933@kunkku.net>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.12; x86_64-unknown-linux-gnu)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 26 Sep 2012 17:10:13 +0300 (EEST)
Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> wrote:

> On Wed, 26 Sep 2012, Natanael Copa wrote:
> 
> > On Tue, 25 Sep 2012 12:34:53 -0500
> > Jeremy Thomerson <jeremy@thomersonfamily.com> wrote:
> >> The problem is that awall didn't create a rule in the forward chain
> >> for -i gre1 -o gre1.
> >
> > Not that it means that awall should do the same, but in shorewall
> > you add an option called "routeback" to the interface definition.
> 
> Well, we could add similar attribute to zone definitions or just make 
> awall always generate such rules. The downside of the latter option
> is that those rules are likely unnecessary in most cases, causing a
> slight penalty in performance. What do you think?

Always generate such rules? No, I'd prefer it be optional and default
off.

Re adding the feature to filter section vs zone definition, I suppose
the benefit with adding it to zone definition is that it would be
slightly easier to make scripts that ports shorewall config to awall.

Would it be possible to support both? So you can do both

"zone": { "T": { "iface": "gre1", "routeback": "true" } }

or: 

"zone": { "T": { "iface": "gre1", "options": [ "routeback" ] } }

and:

"filter": [
  { "in": "T", "out": "T", "action": "accept" }
]

As I understand the latter currently don't work.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---