Request: Submission of Rulesets
danderson at vikus.com
Thu Aug 25 13:56:04 CEST 2005
Out of curiosity (and the lack of fully understanding your intent), how
would this DTD validate a ruleset? I imagine you'd be trying to go
beyond syntax since netfilter will tell you when you do something silly
like a --dport without a -p tcp|udp anyway. If that's so, what is your
standard for failure of a ruleset? Or success of a ruleset? I can submit
a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED
connections as the last rule, for example) or that checks src/dst IPs
but not which interface...
Admittedly I don't know that much about XML and DTDs. I don't know how
powerful DTDs can be, but it seems to me like you'd need a high-level
programming language in order to test for more than syntactical
correctness. A simulation environment for Netfilter rules is something
I'd really like to see.
> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org
> [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of
> Thomas Jones
> Sent: Wednesday, August 24, 2005 6:48 PM
> To: netfilter at lists.netfilter.org
> Subject: Re: Request: Submission of Rulesets
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Wednesday 24 August 2005 17:36, /dev/rob0 wrote:
> > If I could remember the URL I would post it.
> If you find it forward it to me. Sounds like it could be an
> interesting trick or two.
> > Ah, *that* was the piece I was missing. You are accepting
> the rulesets
> > submitted as valid (probably) and are simply using them to
> test your
> > DTD. Is that it? I thought you were compiling it from the submitted
> > rulesets, and that, I guess we agree, is not possible.
> Some of the targets and matches located in the extra
> repository have not been introduced. These will definitely
> take some work. Altough progress has been made, I am sure
> that I have neglected various syntactical portions of the
> netfilter framework.
> > I still don't, but at least the gibberish issue is cleared up. :)
> Fair enough. ;)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> -----END PGP SIGNATURE-----
More information about the netfilter