Hello, I have my machine with ndpi support and i can create rules like: iptables -A FORWARD -m ndpi --skype -j DROP or iptables -A FORWARD -m ndpi --google -j MARK --set-mark 0x01 (so i can do shapping or mark based routing). What would be the best way to integrate it in shorewall besides using /etc/shorewall/start[ed]? A plugin? Any examples? Later i would like to extend the webmin shorewall module and would like to create it as modular/clean as possible. Best regards, Nuno Fernandes ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/22/2013 03:01 AM, Nuno Fernandes wrote:> I have my machine with ndpi support and i can create rules like: > > iptables -A FORWARD -m ndpi --skype -j DROP > > or > > iptables -A FORWARD -m ndpi --google -j MARK --set-mark 0x01 (so i > can do shapping or mark based routing). > > What would be the best way to integrate it in shorewall besides > using /etc/shorewall/start[ed]? A plugin? Any examples?Currently, the only way is to use start[ed] -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On Monday 22 April 2013 06:36:59 Tom Eastep wrote:> On 04/22/2013 03:01 AM, Nuno Fernandes wrote: > > I have my machine with ndpi support and i can create rules like: > > > > iptables -A FORWARD -m ndpi --skype -j DROP > > > > or > > > > iptables -A FORWARD -m ndpi --google -j MARK --set-mark 0x01 (so i > > can do shapping or mark based routing). > > > > What would be the best way to integrate it in shorewall besides > > using /etc/shorewall/start[ed]? A plugin? Any examples? > > Currently, the only way is to use start[ed] > > -TomHello again, We can develop the support in shorewall. What would be the best way to have that? Create a patch ourselves and submit it later on? I think that the best file to store this information is /etc/shorewall/rules. Do you think another file would be better? Thanks, Nuno Fernandes ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/22/2013 08:36 AM, Nuno Fernandes wrote:> On Monday 22 April 2013 06:36:59 Tom Eastep wrote:> > We can develop the support in shorewall. What would be the best way to > have that? Create a patch ourselves and submit it later on? > > I think that the best file to store this information is > /etc/shorewall/rules. Do you think another file would be better?I realized after I responded that you can do what you want using the current 4.5.16 Beta by using the INLINE action. Your iptables and kernel need to be able to mark packets in the filter table because INLINE is currently only available in the rules file (including actions and macros), and in the accounting file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On Monday 22 April 2013 08:54:43 Tom Eastep wrote:> On 04/22/2013 08:36 AM, Nuno Fernandes wrote: > > On Monday 22 April 2013 06:36:59 Tom Eastep wrote: > > > > > > We can develop the support in shorewall. What would be the best way to > > have that? Create a patch ourselves and submit it later on? > > > > I think that the best file to store this information is > > /etc/shorewall/rules. Do you think another file would be better? > > I realized after I responded that you can do what you want using the > current 4.5.16 Beta by using the INLINE action. Your iptables and kernel > need to be able to mark packets in the filter table because INLINE is > currently only available in the rules file (including actions and > macros), and in the accounting file. > > -TomThanks.. I''ll check it out. ./npf ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter