X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from jeremythomerson.com (mail.jeremythomerson.com [74.117.189.150]) by mail.alpinelinux.org (Postfix) with ESMTP id B6BD9DC35DC for ; Wed, 26 Sep 2012 14:33:05 +0000 (UTC) Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com [209.85.160.54]) by jeremythomerson.com (Postfix) with ESMTP id DC4E11CAA8 for ; Wed, 26 Sep 2012 09:36:21 -0500 (CDT) Received: by pbbrp8 with SMTP id rp8so2365807pbb.13 for ; Wed, 26 Sep 2012 07:33:04 -0700 (PDT) Received: by 10.68.229.228 with SMTP id st4mr2937650pbc.106.1348669984081; Wed, 26 Sep 2012 07:33:04 -0700 (PDT) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Reply-To: jeremy@thomersonfamily.com Received: by 10.66.14.229 with HTTP; Wed, 26 Sep 2012 07:32:43 -0700 (PDT) In-Reply-To: References: <20120926090749.4523d331@ncopa-desktop.nor.wtbts.net> From: Jeremy Thomerson Date: Wed, 26 Sep 2012 09:32:43 -0500 Message-ID: Subject: Re: [alpine-devel] awall - forward to/from same port To: Kaarle Ritvanen Cc: Natanael Copa , Alpine-devel Content-Type: multipart/alternative; boundary=047d7b33c85c5207f404ca9bb3f4 --047d7b33c85c5207f404ca9bb3f4 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Sep 26, 2012 at 9:10 AM, Kaarle Ritvanen < kaarle.ritvanen@datakunkku.fi> wrote: > On Wed, 26 Sep 2012, Natanael Copa wrote: > > On Tue, 25 Sep 2012 12:34:53 -0500 >> Jeremy Thomerson wrote: >> >>> The problem is that awall didn't create a rule in the forward chain >>> for -i gre1 -o gre1. >>> >> >> Not that it means that awall should do the same, but in shorewall you >> add an option called "routeback" to the interface definition. >> > > Well, we could add similar attribute to zone definitions or just make > awall always generate such rules. The downside of the latter option is that > those rules are likely unnecessary in most cases, causing a slight penalty > in performance. What do you think? > Perhaps we could add the attribute to the filter definition instead. i.e.: { "in": "T", "out": "T", "action": "accept", "routeback": "true" } OR: { "in": "T", "out": "T", "action": "acceptandrouteback" } --047d7b33c85c5207f404ca9bb3f4 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Wed, Sep 26, 2012 at 9:10 AM, Kaarle = Ritvanen <kaarle.ritvanen@datakunkku.fi> wrote:<= br>
On Wed, 26 Sep 2012, Natanael Copa wrote:

On Tue, 25 Sep 2012 12:34:53 -0500
Jeremy Thomerson <jeremy@thomersonfamily.com> wrote:
The problem is that awall didn't create a rule in the forward chain
for -i gre1 -o gre1.

Not that it means that awall should do the same, but in shorewall you
add an option called "routeback" to the interface definition.

Well, we could add similar attribute to zone definitions or just make awall= always generate such rules. The downside of the latter option is that thos= e rules are likely unnecessary in most cases, causing a slight penalty in p= erformance. What do you think?

Perhaps we could add the = attribute to the filter definition instead. =A0i.e.:

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 {
=A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 "in": "T", =A0
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 "out": "= ;T", =A0 =A0 =A0
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 "action": "accept",
= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 "routeback": &quo= t;true"
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 }

OR:

=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 {
<= div>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 "in": "T= ", =A0
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 "= ;out": "T", =A0 =A0 =A0
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 "action": &q= uot;acceptandrouteback"
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 }
--047d7b33c85c5207f404ca9bb3f4-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---