[Firehol-devs] user-defined chains

Andrew Schulman andrex at alumni.utexas.net
Thu Jul 26 11:36:29 CEST 2007


> what I did is to allow you create custom actions for whatever you like, 
> which I think is more efficient and more generic.
> For example, this is a firehol.conf:
> 
> ---
> 
> # create the custom action 'mathieu'
> action chain mathieu accept
>    # put custom iptables commands for chain 'mathieu'
>    iptables -F mathieu # empty the chain
>    iptables -A mathieu -m condition --condition mathieu_all_allow -j 
> ACCEPT # accept via proc
>    iptables -A mathieu -m time --timestart 0700 --timestop 2100 -j 
> ACCEPT # accept in working hours
>    iptables -A mathieu -j RETURN # do whatever other rules say
> 
> interface eth0 lan
>    client all mathieu user mathieu
> 
> interface eth1 wan
>    client all mathieu user mathieu
> 
> router internet inface eth1 outface eth0
>    client all mathieu src mathieu.pc.hostname

Costa, thanks.  Yes, I agree that this will do what I want.  It's close to
what I asked for.  My only quibble is that I don't like having all of those
iptables commands-- it takes away from the simplicity of the firehol syntax.
But the more important point is:

> What would be nice too, is to allow FireHOL directives instead of plain 
> iptables commands for controlling the results of the custom action chains.
> I'll think about it...

Right, this is a little tricky.  IOW, should "action chain mathieu" create
just one "mathieu" chain, or should it create parallel "in_mathieu" and
"out_mathieu" chains, as elsewhere in firehol?  I'm not sure, but I think
that two chains would make sense.  In my hand-built firewall, I almost
always do this-- when I have to create a separate chain, I actually make
two, one for input and one for output.

If that were the case, then e.g. "client" commands would make sense under
"action chain".  But it would require more reworking of the code, I agree.

Anyway, thanks for your help on this.
Andrew.





More information about the Firehol-devs mailing list