Commit 49be2996 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen
Browse files

README: customizing rules

parent b8b655ec
......@@ -535,6 +535,28 @@ addresses separated by the **-** character. It is not necessary to
specify **family** for bitmaps, since the kernel supports only IPv4
## Customizing iptables Rules
In the rare event that awall's capabilities do not suffice for your
use case, it is possible to manually define match options, targets,
and additional chains. Match options can be added via the **match**
attribute in the corresponding awall rule. The iptables target with
possible options can be set via the **action** attribute. The iptables
targets are always spelled in upper case, so awall can distinguish
them from other actions.
Customized chains can be defined in the top-level dictionary named
**custom**. The key is the unique identifier of the chain, and
packets can be sent to the chain by defining the value of the
**action** attribute of an awall rule as this identifier prefixed by
**custom:**. The values of the dictionary are lists of objects. Each
object maps to a single rule in the custom iptables chain, defined
using two attributes: **match** for match options and **target** for
the target with its options. The target can also refer to another
customized chain, using the **custom:** prefix. It is also possible to
constrain each rule to IPv4 or IPv6 only by defining the **family**
attribute as **inet** or **inet6**, respectively.
## Command Line Syntax
### Translating Policy Files to Firewall Configuration Files
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment