Steven Jan Springl wrote: > On Sunday 10 June 2007 19:29, Steven Jan Springl wrote: >> On Sunday 10 June 2007 18:57, Tom Eastep wrote: >>> Steven Jan Springl wrote: >>>> On Sunday 10 June 2007 17:44, Tom Eastep wrote: >>>>> Steven Jan Springl wrote: >>>>>> On Sunday 10 June 2007 17:37, Tom Eastep wrote: >>>>>>> How about: >>>>>>> >>>>>>> iptables -N foo >>>>>>> iptables -A FORWARD -j foo >>>>>>> iptables -A foo -p 17 -m multiport --dports 555,666 -i br0 -m >>>>>>> physdev --physdev-in eth0 -o br0 -m physdev --physdev-out eth1 -j >>>>>>> RETURN >>>>>> That works. It just produces the message: >>>>>> >>>>>> physdev match: using --physdev-out in the OUTPUT, FORWARD and >>>>>> POSTROUTING chains for non-bridged traffic is not supported anymore. >>>>> Ok -- then please try r6506 on your original test case. That revision >>>>> creates a chain called 'accountout' for OUTPUT accounting rules. >>>>> >>>>> -Tom >>>> Tom >>>> >>>> I have just tried r6507 with the original test case. Shorewall now >>>> starts successfully. >>>> >>>> The same 'accounting iptables' rule is generated. It is called from the >>>> INPUT and FORWARD chains. >>>> The 'accountout' is not generated. >>> 'accountout' is only generated if there are rules with $FW in the SOURCE >>> column. >>> >>> -Tom >> Tom >> >> The accounting file contains: >> >> DONE - eth0 eth1 udp 555,666 >> DONE - - eth1 udp 777,888 >> DONE - eth0 br0 udp 555,666 >> DONE - - br0 udp 777,888 >> >> and the rules contains (amongst other rules): >> >> ACCEPT fw lan udp 555,666,777,888 >> >> but 'accountout' is still not generated. What am I missing? >> >> Steven. > > Tom > > I have had another look at this. I am still unable to get Shorewall to create > an 'accountout' chain. > > I have tried specifying $FW in the accounting file: > > DONE - $FW br0 udp 777,888 > > but I get message: > > ERROR: Unknown interface (fw) > > I have also tried the accounting and rules files entries as per my previous > email. > > I am obviously missing something basic here, but what? > > Can you provide me with an example that works.
Your example will work with r6514. I've been using: COUNT - all all -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
