reopen 373716 clone 373716 -1 retitle 373716 if_ shouldn't claim ip_ is a direct alternative severity 373716 minor tags 373716 upstream retitle -1 ip_ needs to be run as root to work properly quit
* Jérôme Warnier > I can understand, I thought about this but I felt like the rules > needed are not intrusive at all: > iptables -A INPUT -d 192.168.0.1 > iptables -A OUTPUT -s 192.168.0.1 So if you're DROP-ing traffic above those rules (which is very likely, especially in the INPUT chain), the rules won't hit, and the graph will be wrong. If you've used -I INPUT 1 instead you'd shuffle around all other rules in the chain, which is even more undesireable. Also, the second the administrator reloads his ruleset the rules will be lost and the graphs stop working. > Maybe the script should just verify if such accounting rules are > present in chains INPUT and OUTPUT first. Then it could work. It does, but because it isn't run as root by default it doesn't work correctly. I've made a new bug about this. > Another option: base ip_ on something else than iptables (maybe /proc > or/sys?). I don't think the information is available anywhere else, at least not where it's practical to access it. I'll be happy to be proven wrong, though. > - provide a patch for Debian not to advertise a concerning warning > message when using if_ (because here, my bug was actually the error > message) > and/or: > - talk about this issue with upstream (forward upstream). I agree, and I'll probably commit a fix to the upstream repository myself when I get around to it. I've reopened the bug, and clarified what it's about. Thanks -- Tore Anderson
