extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 08:03:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add explanation of maximum zone length

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9690 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-03-15 15:54:29 +00:00
parent 8dd7895609
commit fc3a2fc386
3 changed files with 85 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Shorewall/Perl/Shorewall/Config.pm
View File

@ -281,7 +281,8 @@ our %validlevels;
# initialize() function does globals initialization for this # initialize() function does globals initialization for this
# module and is called from an INIT block below. The function is # module and is called from an INIT block below. The function is
# also called by Shorewall::Compiler::compiler at the beginning of # also called by Shorewall::Compiler::compiler at the beginning of
# the second and subsequent calls to that function. # the second and subsequent calls to that function and when compiling
# for IPv6.
# #
sub initialize( $ ) { sub initialize( $ ) {
$family = shift; $family = shift;

42
manpages/shorewall-zones.xml
View File

@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-zones</refentrytitle> <refentrytitle>shorewall-zones</refentrytitle>
@ -44,6 +46,46 @@
default LOGFORMAT, zone names can be at most 5 characters default LOGFORMAT, zone names can be at most 5 characters
long.</para> long.</para>
<blockquote>
<para>The maximum length of an iptables log prefix is 29 bytes. As
explained in <ulink
url="shorewall.conf.html">shorewall.conf</ulink> (5), the default
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
%s is replaced by the chain name and the second is replaced by the
disposition.</para>
<itemizedlist>
<listitem>
<para>The default formatting string has 12 fixed characters
("Shorewall" and three colons).</para>
</listitem>
<listitem>
<para>The longest of the standard dispositions are ACCEPT and
REJECT which have 6 characters each.</para>
</listitem>
<listitem>
<para>The canonical name for the chain containing the rules
for traffic going from zone 1 to zone 2 is "&lt;zone
1&gt;2&lt;zone 2&gt;".</para>
</listitem>
<listitem>
<para>So if M is the maximum zone name length, such chains can
have length 2*M + 1.</para>
<simplelist>
<member>12 + 6 + 2*M + 1 = 29 which reduces to</member>
<member>2*M = 29 - 12 - 6 = 11 or</member>
<member>M = 5</member>
</simplelist>
</listitem>
</itemizedlist>
</blockquote>
<para>The order in which Shorewall matches addresses from packets to <para>The order in which Shorewall matches addresses from packets to
zones is determined by the order of zone declarations. Where a zone zones is determined by the order of zone declarations. Where a zone
is nested in one or more other zones, you may either ensure that the is nested in one or more other zones, you may either ensure that the

40
manpages6/shorewall6-zones.xml
View File

@ -46,6 +46,46 @@
default LOGFORMAT, zone names can be at most 5 characters default LOGFORMAT, zone names can be at most 5 characters
long.</para> long.</para>
<blockquote>
<para>The maximum length of an iptables log prefix is 29 bytes. As
explained in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink> (5), the default
LOGPREFIX formatting string is “Shorewall:%s:%s:” where the first
%s is replaced by the chain name and the second is replaced by the
disposition.</para>
<itemizedlist>
<listitem>
<para>The default formatting string has 12 fixed characters
("Shorewall" and three colons).</para>
</listitem>
<listitem>
<para>The longest of the standard dispositions are ACCEPT and
REJECT which have 6 characters each.</para>
</listitem>
<listitem>
<para>The canonical name for the chain containing the rules
for traffic going from zone 1 to zone 2 is "&lt;zone
1&gt;2&lt;zone 2&gt;".</para>
</listitem>
<listitem>
<para>So if M is the maximum zone name length, such chains can
have length 2*M + 1.</para>
<simplelist>
<member>12 + 6 + 2*M + 1 = 29 which reduces to</member>
<member>2*M = 29 - 12 - 6 = 11 or</member>
<member>M = 5</member>
</simplelist>
</listitem>
</itemizedlist>
</blockquote>
<para>The order in which Shorewall6 matches addresses from packets <para>The order in which Shorewall6 matches addresses from packets
to zones is determined by the order of zone declarations. Where a to zones is determined by the order of zone declarations. Where a
zone is nested in one or more other zones, you may either ensure zone is nested in one or more other zones, you may either ensure