[j-nsp] Re: Re: Re: Interfaces, deactivate vs disable

[Daniel Roesen]

On Thu, Jun 09, 2005 at 04:04:02PM -0400, Phil Shafer wrote:
> Daniel Roesen writes:
> >Yep. Another annoyance. Something like "terminal-term" instead of "term
> >foo" would be nice. Or give the term name "terminal" or "last-resort" some
> >special meaning.
> 
> Are you looking for a full term or just an "otherwise"?

Uhm, what do you mean with "just an 'otherwise'"? Can you given an
example?

What I was thinking of was e.g.:

policy-options {
    policy-statement bla {
        term accept-FOO {
            ...
        }
        term accept-BAR {
            ...
        }
        term accept-BAZ {
            ...
        }
        term deny-and-log-rest {
            then {
                discward;
                log;
                count denied-rest;
            }
        }
    }
}

Now I want to add more FROB and QUX acceptance. Everytime I have to
add something I need to do the "set term ..." drill, and always
remember the final "insert term deny-and-log-rest after
$LAST_ADDED_TERM". How nice it would be to have

...
        terminal-term deny-and-log-rest {
            then {
                discard;
                log;
                count denied-rest
             }
        }
...

which would automatically get sorted as last term in the policy/filter
automatically.

I know it's possible for policies by no using "term" but just "then"
directly in the policy-statement level (which is ugly and makes readers
scratch their head), but this is not possible with firewall filters.


Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0