Shorewall users - Nov 2003 - Suggestion on Specificity of REDIRECT

Hello!

We were just wondering if it would be possible to modify Shorewall in a 
future version so that the ORIGINAL DEST field in the "rules" file
could
take zones, or better, the full grammar normally allowed in the DEST 
field when matching other types of firewall rules. The advantage is that 
it would allow aggregation of destination information in cases where we 
need to apply redirection to some interfaces or subnets but not others. 
Since zones provide an extremely convenient and powerful way to refer to 
such aggregations in ordinary rules, it seems like they would be just as 
useful with REDIRECT. Or perhaps is there some iptables/netfilter 
restriction that prevents this?

Thanks!

Tim

On Thu, 6 Nov 2003, Tim Burress wrote:
> Hello!
>
> We were just wondering if it would be possible to modify Shorewall in a
> future version so that the ORIGINAL DEST field in the "rules"
file could
> take zones, or better, the full grammar normally allowed in the DEST
> field when matching other types of firewall rules.
That''s not possible.
> The advantage is that it would allow aggregation of destination
> information in cases where we need to apply redirection to some
> interfaces or subnets but not others.  Since zones provide an extremely
> convenient and powerful way to refer to such aggregations in ordinary
> rules, it seems like they would be just as useful with REDIRECT. Or
> perhaps is there some iptables/netfilter restriction that prevents this?
>
REDIRECT and DNAT occur before the output interface is known. Since
Shorewall zones are defined in terms of both interfaces and IP addresses,
what you are asking simply can''t be done.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net