Hello,
Please clarify the following issues related to the rich language for me:
1. In the Rule description it is said that "If source or destination addresses are used in a rule, then the rule family need to be provided." Then in the description for the Source says that "A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be automatically discovered)."
It seems to me that wordings marked in italic contradict each other. When using source keyword the rule family either has to be provided or it will be discovered automatically. Which one is true?
2. In the Action description the very last line says "Also an action can be limited using the limit tag." What limit tag does the statement refer to?
System info: CentOS 7, firewalld-0.3.9-7.el7.noarch
Thank you, Rufe
On 10/04/2014 01:31 AM, Rufe Glick wrote:
Hello,
Please clarify the following issues related to the rich language for me:
- In the *Rule* description it is said that "If source or destination
addresses are used in a rule, then the /rule family need to be provided/." Then in the description for the *Source* says that "A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6. /The network family (IPv4/IPv6) will be automatically discovered)./"
It seems to me that wordings marked in italic contradict each other. When using source keyword the rule family either has to be provided or it will be discovered automatically. Which one is true?
When using source keyword the rule family has to be provided and the address family in source has to match the rule family.
Will it be better if I change /The network family (IPv4/IPv6) will be automatically discovered./ to /The address network family (IPv4/IPv6) has to match rule family./ ?
- In the *Action *description the very last line says "Also an action
can be limited using the /limit tag/." What limit tag does the statement refer to?
The limit tag is described in Log.
What about this change? https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=a84fd7163c329fc51...
-- Jiri
On Mon, Oct 6, 2014 at 6:58 AM, Jiri Popelka jpopelka@redhat.com wrote:
On 10/04/2014 01:31 AM, Rufe Glick wrote:
Hello,
Please clarify the following issues related to the rich language for me:
- In the *Rule* description it is said that "If source or destination
addresses are used in a rule, then the /rule family need to be provided/." Then in the description for the *Source* says that "A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6. /The network family (IPv4/IPv6) will be automatically discovered)./"
It seems to me that wordings marked in italic contradict each other. When using source keyword the rule family either has to be provided or it will be discovered automatically. Which one is true?
When using source keyword the rule family has to be provided and the address family in source has to match the rule family.
Will it be better if I change /The network family (IPv4/IPv6) will be automatically discovered./ to /The address network family (IPv4/IPv6) has to match rule family./ ?
Yes, the wording you proposed is better.
- In the *Action *description the very last line says "Also an action
can be limited using the /limit tag/." What limit tag does the statement refer to?
The limit tag is described in Log.
The thing is that 'limit tag' term is not used in the description of the Log element. Please use the 'limit tag' term in the description of the Log element at least once. For consistency it'll also be a good idea to include that extra option in the description of the Action element, like this:
accept | reject [type="reject type"] | drop [limit value="rate/duration"]
For me this rises another question. What does it mean to limit, say, an accept action to once a day? Does it mean that only one connection attempt a day will be let through the firewall and all other attempts be dropped? Will they be dropped with a drop action? How about reject action (if once a day) -- will the first connection attempt be rejected with ICMP message and all other attempts be dropped? And for the drop action rate limiting will not change anything then. Please clarify.
What about this change? https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=a84fd7163c329fc51...
Looks good. The remark I have is for description of subnet masks. What is called 'network mask or a plain number' in man pages are called dot-decimal (x.x.x.x) and prefix (/x) notations. Prefix notation is also called a CIDR notation, but in my opinion 'prefix notation' is more self-descriptive. Also when you say a 'network address' usage of subnet mask is assumed. Therefore I'd change the following stanzas:
A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6. The address network family (IPv4/IPv6) has to match rule family. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number.
To:
An address is either a single IP address, or a network IP address. The address has to match the rule family (IPv4/IPv6). Subnet mask is expressed in either dot-decimal (x.x.x.x) or prefix (/x) notations for IPv4, and in prefix notation (/x) for IPv6 network addresses.
I see that 'network mask or a plain number' wording was probably drawn from the iptables man page description of the '-s' option, but in networking world they are called as I suggested.
-- Jiri
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
On 10/06/2014 04:28 PM, Rufe Glick wrote:
On Mon, Oct 6, 2014 at 6:58 AM, Jiri Popelka jpopelka@redhat.com wrote:
On 10/04/2014 01:31 AM, Rufe Glick wrote:
- In the *Action *description the very last line says "Also an action
can be limited using the /limit tag/." What limit tag does the statement refer to?
The limit tag is described in Log.
The thing is that 'limit tag' term is not used in the description of the Log element. Please use the 'limit tag' term in the description of the Log element at least once. For consistency it'll also be a good idea to include that extra option in the description of the Action element, like this:
accept | reject [type="reject type"] | drop [limit value="rate/duration"]
Check new version at https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.richlanguage.html
For me this rises another question. What does it mean to limit, ...
Let's discuss this in your separate thread.
An address is either a single IP address, or a network IP address. The address has to match the rule family (IPv4/IPv6). Subnet mask is expressed in either dot-decimal (x.x.x.x) or prefix (/x) notations for IPv4, and in prefix notation (/x) for IPv6 network addresses.
Looks good, thank you.
-- Jiri
firewalld-users@lists.fedorahosted.org