Request: Submission of Rulesets

Derick Anderson danderson at
Thu Aug 25 13:56:04 CEST 2005

Out of curiosity (and the lack of fully understanding your intent), how
would this DTD validate a ruleset? I imagine you'd be trying to go
beyond syntax since netfilter will tell you when you do something silly
like a --dport without a -p tcp|udp anyway. If that's so, what is your
standard for failure of a ruleset? Or success of a ruleset? I can submit
a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED
connections as the last rule, for example) or that checks src/dst IPs
but not which interface...

Admittedly I don't know that much about XML and DTDs. I don't know how
powerful DTDs can be, but it seems to me like you'd need a high-level
programming language in order to test for more than syntactical
correctness. A simulation environment for Netfilter rules is something
I'd really like to see.

Derick Anderson

> -----Original Message-----
> From: netfilter-bounces at 
> [mailto:netfilter-bounces at] On Behalf Of 
> Thomas Jones
> Sent: Wednesday, August 24, 2005 6:48 PM
> To: netfilter at
> Subject: Re: Request: Submission of Rulesets
> Hash: SHA1
> On Wednesday 24 August 2005 17:36, /dev/rob0 wrote:
> >
> > If I could remember the URL I would post it.
> >
> If you find it forward it to me. Sounds like it could be an 
> interesting trick or two.
> >
> > Ah, *that* was the piece I was missing. You are accepting 
> the rulesets 
> > submitted as valid (probably) and are simply using them to 
> test your 
> > DTD. Is that it? I thought you were compiling it from the submitted 
> > rulesets, and that, I guess we agree, is not possible.
> >
> Some of the targets and matches located in the extra 
> repository have not been introduced. These will definitely 
> take some work. Altough progress has been made, I am sure 
> that I have neglected various syntactical portions of the 
> netfilter framework.
> >
> > I still don't, but at least the gibberish issue is cleared up. :)
> Fair enough. ;)
> Cheers,
> Thomas
> Version: GnuPG v1.2.4 (GNU/Linux)
> Y9zJBZ5HNohUBV8e0eg/D7Y=
> =h+/H

More information about the netfilter mailing list