On 1/7/19 2:04 PM, Naveen Neelakanta wrote: > Hi Tom, > > > iptables/netfilter allows us to match based on a device group and the > net devices can be added or removed from a device group like below: > > > > ip link set dev eth0 group 42 > > ip link set dev eth1 group 42 > > ip link show group 42 > > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP mode DEFAULT group notrack_interfaces qlen 1000 > > link/ether 00:0c:29:a1:3f:ce brd ff:ff:ff:ff:ff:ff > > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP mode DEFAULT group notrack_interfaces qlen 1000 > > link/ether 00:0c:29:a1:3f:d8 brd ff:ff:ff:ff:ff:ff > > > > Now this can be used to match a dev group like below: > > > > iptables -t raw -I PREROUTING 1 -m devgroup --src-group 42 -j CT --notrack > > iptables -t raw -I OUTPUT 1 -m devgroup --dst-group 42 -j CT --notrack > > > Can this be achieved using Shorewall, if possible?, can you please share > an example. >
It cannot be accomplished in the raw table, because the 'conntrack' file
does not currently allow inline matches. In those files that do allow
inline matches, you can accomplish this by following the rule with:
;; -m devgroup --{src|dst}-group nn
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
