On 04/18/2013 02:45 PM, Dash Four wrote: > > > Dash Four wrote: >> >>> Patch attached. >>> >> Wow, that was pretty quick and it works to perfection, thanks Tom. > One suggestion with regards to this: due to the nature of that nfacct > match, would it be possible to "combine" nfacct targets in single rules? > One example to illustrate a use-case: > > Suppose I need to have 4 nfacct matches called "all_in", "all_out", > "all_fwd" and "all". With the current structure of "accounting", I have > to do the following: > > SECTION INPUT > NFACCT(all) > NFACCT(all_in) > > SECTION OUTPUT > NFACCT(all) > NFACCT(all_out) > > SECTION FORWARD > NFACCT(all) > NFACCT(all_fwd) > > The above will produce 6 different rules, which will be traversed one > after the other, like so: > > -A accountin -m nfacct --nfacct-name all > -A accountin -m nfacct --nfacct-name all_in > -A accountout -m nfacct --nfacct-name all > -A accountout -m nfacct --nfacct-name all_out > -A accountfwd -m nfacct --nfacct-name all > -A accountfwd -m nfacct --nfacct-name all_fwd > > It would be much more efficient if I could have these combined into 3 > rules producing the same effect, like so: > > -A accountin -m nfacct --nfacct-name all -m nfacct --nfacct-name all_in > -A accountout -m nfacct --nfacct-name all -m nfacct --nfacct-name > all_out accountin > -A accountfwd -m nfacct --nfacct-name all -m nfacct --nfacct-name all_fwd > > That way I won't get penalised unnecessary (for having to traverse 3 > extra rules) and my throughput will be more.
Patch attached. You would specify the above as: SECTION INPUT NFACCT(all,all_in) SECTION OUTPUT NFACCT(all,all_out) SECTION FORWARD NFACCT(all,all_fwd) > Another very good example of where "stacked-up" nfacct matches can be > useful is with the following example: > > Suppose I need to have 4 nfacct matches: "dmz_in", "dmz_out", "dmz_fwd" > (for all traffic to/from/forwarded from/to my dmz subnet) and another > match called "all" counting all traffic. In its current form, the > "accounting" will look like this: > > SECTION INPUT > NFACCT(all) > NFACCT(dmz_in) - +dmz-net > > SECTION OUTPUT > NFACCT(all) > NFACCT(dmz_out) - - +dmz-net > > SECTION FORWARD > NFACCT(all) > NFACCT(dmz_fwd) - +dmz-net > NFACCT(dmz_fwd) - - +dmz-net > > The above will produce 7 different rules as follows: > > -A accountin -m nfacct --nfacct-name all > -A accountin -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_in > -A accountout -m nfacct --nfacct-name all > -A accountout -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_out > -A accountfwd -m nfacct --nfacct-name all > -A accountfwd -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_fwd > -A accountfwd -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_fwd > > The above can be "squeezed" into 4 rules, like so: > > -A accountin -m nfacct --nfacct-name all -m set --match-set dmz-net src > -m nfacct --nfacct-name dmz_in > -A accountout -m nfacct --nfacct-name all -m set --match-set dmz-net dst > -m nfacct --nfacct-name dmz_out > -A accountfwd -m nfacct --nfacct-name all -m set --match-set dmz-net src > -m nfacct --nfacct-name dmz_fwd > -A accountfwd -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_fwd > > making it much more efficient. If you decide to do this, it won't be a > walk in the park though, so I would suggest to leave it to the user to > implement the order in which the matches are created. You can't have it both ways. You cannot have nfacct always last and nfacct interspersed in the order specified. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 50127a2..0dbd8a5 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -807,7 +807,7 @@ sub set_rule_option( $$$ ) {
if ( exists $ruleref->{$option} ) {
assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );
- if ( $opttype == MATCH ) {
+ if ( $opttype == MATCH || $opttype == LAST ) {
if ( $globals{KLUDGEFREE} ) {
unless ( reftype $value1 ) {
unless ( reftype $value ) {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
