Request: Submission of Rulesets

Derick Anderson danderson at vikus.com
Thu Aug 25 13:56:04 CEST 2005


 
Out of curiosity (and the lack of fully understanding your intent), how
would this DTD validate a ruleset? I imagine you'd be trying to go
beyond syntax since netfilter will tell you when you do something silly
like a --dport without a -p tcp|udp anyway. If that's so, what is your
standard for failure of a ruleset? Or success of a ruleset? I can submit
a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED
connections as the last rule, for example) or that checks src/dst IPs
but not which interface...

Admittedly I don't know that much about XML and DTDs. I don't know how
powerful DTDs can be, but it seems to me like you'd need a high-level
programming language in order to test for more than syntactical
correctness. A simulation environment for Netfilter rules is something
I'd really like to see.

Derick Anderson


> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org 
> [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of 
> Thomas Jones
> Sent: Wednesday, August 24, 2005 6:48 PM
> To: netfilter at lists.netfilter.org
> Subject: Re: Request: Submission of Rulesets
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wednesday 24 August 2005 17:36, /dev/rob0 wrote:
> >
> > If I could remember the URL I would post it.
> >
> 
> If you find it forward it to me. Sounds like it could be an 
> interesting trick or two.
> 
> >
> > Ah, *that* was the piece I was missing. You are accepting 
> the rulesets 
> > submitted as valid (probably) and are simply using them to 
> test your 
> > DTD. Is that it? I thought you were compiling it from the submitted 
> > rulesets, and that, I guess we agree, is not possible.
> >
> 
> Some of the targets and matches located in the extra 
> repository have not been introduced. These will definitely 
> take some work. Altough progress has been made, I am sure 
> that I have neglected various syntactical portions of the 
> netfilter framework.
> 
> >
> > I still don't, but at least the gibberish issue is cleared up. :)
> 
> Fair enough. ;)
> 
> Cheers,
> Thomas
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFDDPlAoR5cE1e/kEIRAnTvAJ9MdKaDz6DME9g7XQRhK9ZfCHq8fQCcDQJq
> Y9zJBZ5HNohUBV8e0eg/D7Y=
> =h+/H
> -----END PGP SIGNATURE-----
> 
> 



More information about the netfilter mailing list