Dash Four wrote: > >> Patch attached. >> > Wow, that was pretty quick and it works to perfection, thanks Tom. One suggestion with regards to this: due to the nature of that nfacct match, would it be possible to "combine" nfacct targets in single rules? One example to illustrate a use-case:
Suppose I need to have 4 nfacct matches called "all_in", "all_out", "all_fwd" and "all". With the current structure of "accounting", I have to do the following: SECTION INPUT NFACCT(all) NFACCT(all_in) SECTION OUTPUT NFACCT(all) NFACCT(all_out) SECTION FORWARD NFACCT(all) NFACCT(all_fwd) The above will produce 6 different rules, which will be traversed one after the other, like so: -A accountin -m nfacct --nfacct-name all -A accountin -m nfacct --nfacct-name all_in -A accountout -m nfacct --nfacct-name all -A accountout -m nfacct --nfacct-name all_out -A accountfwd -m nfacct --nfacct-name all -A accountfwd -m nfacct --nfacct-name all_fwd It would be much more efficient if I could have these combined into 3 rules producing the same effect, like so: -A accountin -m nfacct --nfacct-name all -m nfacct --nfacct-name all_in -A accountout -m nfacct --nfacct-name all -m nfacct --nfacct-name all_out accountin -A accountfwd -m nfacct --nfacct-name all -m nfacct --nfacct-name all_fwd That way I won't get penalised unnecessary (for having to traverse 3 extra rules) and my throughput will be more. Another very good example of where "stacked-up" nfacct matches can be useful is with the following example: Suppose I need to have 4 nfacct matches: "dmz_in", "dmz_out", "dmz_fwd" (for all traffic to/from/forwarded from/to my dmz subnet) and another match called "all" counting all traffic. In its current form, the "accounting" will look like this: SECTION INPUT NFACCT(all) NFACCT(dmz_in) - +dmz-net SECTION OUTPUT NFACCT(all) NFACCT(dmz_out) - - +dmz-net SECTION FORWARD NFACCT(all) NFACCT(dmz_fwd) - +dmz-net NFACCT(dmz_fwd) - - +dmz-net The above will produce 7 different rules as follows: -A accountin -m nfacct --nfacct-name all -A accountin -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_in -A accountout -m nfacct --nfacct-name all -A accountout -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_out -A accountfwd -m nfacct --nfacct-name all -A accountfwd -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_fwd -A accountfwd -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_fwd The above can be "squeezed" into 4 rules, like so: -A accountin -m nfacct --nfacct-name all -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_in -A accountout -m nfacct --nfacct-name all -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_out -A accountfwd -m nfacct --nfacct-name all -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_fwd -A accountfwd -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_fwd making it much more efficient. If you decide to do this, it won't be a walk in the park though, so I would suggest to leave it to the user to implement the order in which the matches are created. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
