[Shorewall-users] zone nesting, no luck at all

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I've been experimenting with the new zone nesting feature, but I'm
getting nowhere and I'm starting to suspect I expect more from it than
it can deliver.

So my first question is if zone nesting relies on the zones being
subsets of each other on a network level? I.e. host based zones where
the parent zone is a superset of the child zone.

The documentation example is of this type, but it doesn't say that this
is required. I was naively hoping that the CONTINUE policy of a child
zone would result in a -j to the parent zone chain(s) in iptables. But
no such rules are generated, and I can't really find anything in the
code that uses the parent information in a useful way.

My specific case is that I have zones gst,wif and vir, all with their
own interfaces. I have a whole bunch of rules that apply to all three
and I don't want to make a mess of the rules file by having multiple
copies of every rule. So I dug around and found nested zones, which
seemed to fit perfectly.

I have:

zones:

	dmz		ipv4

	gst:dmz		ipv4
	wif:dmz		ipv4
	vir:dmz		ipv4

interfaces:

	gst		eth1
	wif		eth2
	vir		virt+

policy:

	gst		all		CONTINUE
	wif		all		CONTINUE
	vir		all		CONTINUE

rules:

	ACCEPT		dmz	all	tcp	ssh

Rgds
-- 
     -- Pierre Ossman

  Linux kernel, MMC maintainer        http://www.kernel.org
  PulseAudio, core developer          http://pulseaudio.org
  rdesktop, core developer          http://www.rdesktop.org