[Firehol-devs] user-defined chains

Andrew Schulman andrex at alumni.utexas.net
Mon Jul 16 16:05:07 BST 2007


I just posted the following as a feature request at the sf.net page.

I'd like to see a new primary command 'chain', that defines a user-defined
chain and causes following rules to be appended to that chain.  For example:

interface eth0
  client any mathieu user mathieu
  client ...

chain mathieu
  client any return custom '...'
  client any reject custom '...'
  ...

The above would allow me to set up a chain of conditions that apply only to
user mathieu, so I can deny his traffic under certain conditions (e.g. when
he should be sleeping), or otherwise return to allow it to pass under the
same conditions as everyone else's.

The above example is a current requirement of mine, and when the custom
conditions are complicated enough I don't think there's any other way to
meet it except through a user defined chain.  I have other requirements that
are most naturally met by user-defined chains, but for which there are
workarounds.

A 'chain' command would be simple, and it would add a lot of value.  It
would provide an important feature of firehol that's missing compared to
using plain iptables.

Question:  Is this a feature that's likely to be implemented in firehol
soon?  And if not, and if I develop the feature myself and post a patch
(including documentation), would it be likely to be considered for
inclusion?

Thanks,
Andrew.





More information about the Firehol-devs mailing list