Mario R. Pizzolanti
2004-Feb-11 15:27 UTC
[Shorewall-devel] Shorewall, ipp2p and ipt_CONNTRACK
Hi! Taking into consideration the great speed with which the use of P2P filesharing systems is expanding, is there any plan of including ipp2p and ipt_CONNTRACK support into shorewall? I''m sure that many admins managing gateways would be very happy about it... Thanx, -- Mario R. Pizzolanti <mario@zavood.ee> Zavood O?
On Wednesday 11 February 2004 03:23 pm, Mario R. Pizzolanti wrote:> Hi! > Taking into consideration the great speed with which the use of P2P > filesharing systems is expanding, is there any plan of including ipp2p > and ipt_CONNTRACK support into shorewall? I''m sure that many admins > managing gateways would be very happy about it...My policy has always been and will continue to be that Shorewall will not contain support for Netfilter features that are not part of the standard distribution from kernel.org. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
But is it possible for a user to add their own support for non-standard Netfilter features with the new action files, or are the list of supported features buried deep inside the Shorewall scripts? I have always appreciated the simple relational DB look of the Shorewall configuration files. Would it be possible to modify Shorewall so the existing Netfilter features were described in a table with the code extracted out of the basic Shorewall script into "stored procedures". Then when someone wanted to use a non-standard module they could add a entry in the "feature" table and supply some "stored procedures/code snippets" that are invoked at appropriate times. The "stored procedures" and appropriate might need a little of the Tom E. magic to get working. Thanks, -- Steve Herber herber@thing.com work: 206-221-7262 Security Engineer, UW Medicine, IT Services home: 425-454-2399 On Wed, 11 Feb 2004, Tom Eastep wrote:> On Wednesday 11 February 2004 03:23 pm, Mario R. Pizzolanti wrote: > > Hi! > > Taking into consideration the great speed with which the use of P2P > > filesharing systems is expanding, is there any plan of including ipp2p > > and ipt_CONNTRACK support into shorewall? I''m sure that many admins > > managing gateways would be very happy about it... > > My policy has always been and will continue to be that Shorewall will not > contain support for Netfilter features that are not part of the standard > distribution from kernel.org. > > -Tom
On Wed, 11 Feb 2004, Steve Herber wrote:> But is it possible for a user to add their own support for non-standard > Netfilter features with the new action files, or are the list of supported > features buried deep inside the Shorewall scripts? > > I have always appreciated the simple relational DB look of the Shorewall > configuration files. Would it be possible to modify Shorewall so the > existing Netfilter features were described in a table with the code > extracted out of the basic Shorewall script into "stored procedures". > Then when someone wanted to use a non-standard module they could add > a entry in the "feature" table and supply some "stored procedures/code > snippets" that are invoked at appropriate times. The "stored procedures" > and appropriate might need a little of the Tom E. magic to get working. >The new ''action'' facility allows you to create chains and rules to your heart''s content (assuming that you are using Shorewall 2.0): If you want to define action "foo" with new and amazing capabilities then: a) Create the empty file action.foo b) Create /etc/shorewall/foo and in that file, you can do anything possible in a shell script. The script will be run using the Bourne shell "." command at the time that Shorewall actions are being processed (just before the rules file is processed) during shorewall [re]start. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 11 Feb 2004, Tom Eastep wrote:> > The new ''action'' facility allows you to create chains and rules to your > heart''s content (assuming that you are using Shorewall 2.0): > > If you want to define action "foo" with new and amazing capabilities then: > > a) Create the empty file action.foo > b) Create /etc/shorewall/foo and in that file, you can do anything > possible in a shell script. The script will be run using the Bourne shell > "." command at the time that Shorewall actions are being processed (just > before the rules file is processed) during shorewall [re]start. >Put another way, I think that the 2.0 action facility together with the existing extension scripts can be used to extend Shorewall to handle new Netfilter capabilities without having to alter the basic Shorewall code. If any developer finds the need for a new extension script, I''ll be happy to add it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net