Out of curiosity (and the lack of fully understanding your intent), how would this DTD validate a ruleset? I imagine you'd be trying to go beyond syntax since netfilter will tell you when you do something silly like a --dport without a -p tcp|udp anyway. If that's so, what is your standard for failure of a ruleset? Or success of a ruleset? I can submit a working ruleset that isn't optimal (accepting RELATED,ESTABLISHED connections as the last rule, for example) or that checks src/dst IPs but not which interface... Admittedly I don't know that much about XML and DTDs. I don't know how powerful DTDs can be, but it seems to me like you'd need a high-level programming language in order to test for more than syntactical correctness. A simulation environment for Netfilter rules is something I'd really like to see. Derick Anderson > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Thomas Jones > Sent: Wednesday, August 24, 2005 6:48 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Re: Request: Submission of Rulesets > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wednesday 24 August 2005 17:36, /dev/rob0 wrote: > > > > If I could remember the URL I would post it. > > > > If you find it forward it to me. Sounds like it could be an > interesting trick or two. > > > > > Ah, *that* was the piece I was missing. You are accepting > the rulesets > > submitted as valid (probably) and are simply using them to > test your > > DTD. Is that it? I thought you were compiling it from the submitted > > rulesets, and that, I guess we agree, is not possible. > > > > Some of the targets and matches located in the extra > repository have not been introduced. These will definitely > take some work. Altough progress has been made, I am sure > that I have neglected various syntactical portions of the > netfilter framework. > > > > > I still don't, but at least the gibberish issue is cleared up. :) > > Fair enough. ;) > > Cheers, > Thomas > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFDDPlAoR5cE1e/kEIRAnTvAJ9MdKaDz6DME9g7XQRhK9ZfCHq8fQCcDQJq > Y9zJBZ5HNohUBV8e0eg/D7Y= > =h+/H > -----END PGP SIGNATURE----- > >
