Add some comments.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-06-11 11:25:19 -07:00
parent 1d0ab43fbb
commit c57f627a21

View File

@ -301,7 +301,28 @@ our $VERSION = 'MODULEVERSION';
# Only 'referenced' chains get written to the iptables-restore input.
#
# 'loglevel', 'synparams', 'synchain', 'audit' and 'default' only apply to policy chains.
###########################################################################################################################################
#
# For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name if this chain is formed by
# joining the names of the zones using the ZONE_SEPARATOR ('2' or '-'). This chain contains the rules that specifically deal with
# connections from the first zone to the second. These chains will end with the policy rules when EXPAND_POLICIES=Yes and when there is an
# explicit policy for the order pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
# wildcard policy chain (all[2-]zone, zone[2-]all, or all[2-]all).
#
#
# Except in the most trivial one-interface configurations, each zone has a "forward chain" which is branched to from the filter table
# FORWARD chain.
#
# For each network interface, there are up to 6 chains in the filter table:
#
# - Input, Output, Forward "Interface Chains"
# These are present when there is more than one zone associated with the interface. They are jumped to from the INPUT, OUTPUT and
# FORWARD chains respectively.
# - Input Option, Output Option and Forward "Interface Option Chains"
# Used when blacklisting is involved for enforcing interface options that require Netfilter rules. When these chains are not used,
# any rules that they contained are moved to the corresponding interface chains.
#
our %chain_table;
our $raw_table;
our $rawpost_table;