[Firehol-devs] user-defined chains

Andrew Schulman andrex at alumni.utexas.net
Mon Jul 23 15:40:24 BST 2007 

> Added helper 'action':
> 
> action [chain <name> <action>]
> The action helper creates an iptables chain which can be used to control 
> the
> action of other firewall rules during runtime.
> 
> For example, you can setup the custom action ACT1, which by default is 
> ACCEPT,
> but under certain cases it can be changed to DROP, REJECT or RETURN without
> restarting the firewall.       

Costa, thanks.  I think that I can use this to do what I want, as long as
the 'action chain' command accepts optional rule parameters, e.g.

interface eth0
    action chain mathieu DENY user mathieu

Then I can set up e.g. cron jobs to add or remove RETURN rules to the
'mathieu' chains at certain times, or just do it manually when I want, as
you describe.

However what I'd also like to see is the "chain" top-level command, which
would allow me to add rules directly to that chain within firehol, e.g.

interface eth0
    action chain mathieu DENY user mathieu

chain mathieu
    client all return custom '-m condition --condition mathieu_all_allow'
    client all deny   custom '-m condition --condition mathieu_all_deny'
    client all return custom '-m time --timestart 0700 --timestop 2100'

To me this is a more natural way to solve the problem-- it's how I do it in
my hand-built firewall.  It doesn't require any cron jobs, because the
"time" match already filters on the right times.  And with the "condition"
match, I can run e.g.

echo 1 > /proc/net/nf_condition/mathieu_all_allow

which I find to be more intuitive than 'iptables -A mathieu -j RETURN'.

Another advantage of putting the rules into a user-defined chain is that I
can call the chain from more than one place.  E.g. I can limit mathieu's
traffic from an interface or through a router, with the same set of rules.
Another example is when I have a list of clients that I want to allow on an
interface and a router.  The natural (to me) way to do that is

interface eth0
    action chain common_clients
    ...

router eth1 eth0
    action chain common_clients
    ...

chain common_clients
    client ... accept
    client ... accept

Of course I can work around this by scripting to put the same rules into
both the interface and the router.  Again it's a question of which approach
is more natural.

As the developer it's your call, of course.  I find user-defined chains to
be a more natural way of addressing these problems.  But I think that both
methods can be made to work.

Thanks,
Andrew.

More information about the Firehol-devs mailing list