Tom Eastep wrote: > On 04/18/2013 02:45 PM, Dash Four wrote: > >> Dash Four wrote: >> >>>> Patch attached. >>>> >>>> >>> Wow, that was pretty quick and it works to perfection, thanks Tom. >>> >> One suggestion with regards to this: due to the nature of that nfacct >> match, would it be possible to "combine" nfacct targets in single rules? >> One example to illustrate a use-case: >> >> Suppose I need to have 4 nfacct matches called "all_in", "all_out", >> "all_fwd" and "all". With the current structure of "accounting", I have >> to do the following: >> >> SECTION INPUT >> NFACCT(all) >> NFACCT(all_in) >> >> SECTION OUTPUT >> NFACCT(all) >> NFACCT(all_out) >> >> SECTION FORWARD >> NFACCT(all) >> NFACCT(all_fwd) >> >> The above will produce 6 different rules, which will be traversed one >> after the other, like so: >> >> -A accountin -m nfacct --nfacct-name all >> -A accountin -m nfacct --nfacct-name all_in >> -A accountout -m nfacct --nfacct-name all >> -A accountout -m nfacct --nfacct-name all_out >> -A accountfwd -m nfacct --nfacct-name all >> -A accountfwd -m nfacct --nfacct-name all_fwd >> >> It would be much more efficient if I could have these combined into 3 >> rules producing the same effect, like so: >> >> -A accountin -m nfacct --nfacct-name all -m nfacct --nfacct-name all_in >> -A accountout -m nfacct --nfacct-name all -m nfacct --nfacct-name >> all_out accountin >> -A accountfwd -m nfacct --nfacct-name all -m nfacct --nfacct-name all_fwd >> >> That way I won't get penalised unnecessary (for having to traverse 3 >> extra rules) and my throughput will be more. >> > > Patch attached. You would specify the above as: > > SECTION INPUT > NFACCT(all,all_in) > > SECTION OUTPUT > NFACCT(all,all_out) > > SECTION FORWARD > NFACCT(all,all_fwd) > I presume if I include conditions (like +dmz-net in SOURCE or DEST for example), I would see these preceding the nfacct match right?
>> Another very good example of where "stacked-up" nfacct matches can be >> useful is with the following example: >> >> Suppose I need to have 4 nfacct matches: "dmz_in", "dmz_out", "dmz_fwd" >> (for all traffic to/from/forwarded from/to my dmz subnet) and another >> match called "all" counting all traffic. In its current form, the >> "accounting" will look like this: >> >> SECTION INPUT >> NFACCT(all) >> NFACCT(dmz_in) - +dmz-net >> >> SECTION OUTPUT >> NFACCT(all) >> NFACCT(dmz_out) - - +dmz-net >> >> SECTION FORWARD >> NFACCT(all) >> NFACCT(dmz_fwd) - +dmz-net >> NFACCT(dmz_fwd) - - +dmz-net >> >> The above will produce 7 different rules as follows: >> >> -A accountin -m nfacct --nfacct-name all >> -A accountin -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_in >> -A accountout -m nfacct --nfacct-name all >> -A accountout -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_out >> -A accountfwd -m nfacct --nfacct-name all >> -A accountfwd -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_fwd >> -A accountfwd -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_fwd >> >> The above can be "squeezed" into 4 rules, like so: >> >> -A accountin -m nfacct --nfacct-name all -m set --match-set dmz-net src >> -m nfacct --nfacct-name dmz_in >> -A accountout -m nfacct --nfacct-name all -m set --match-set dmz-net dst >> -m nfacct --nfacct-name dmz_out >> -A accountfwd -m nfacct --nfacct-name all -m set --match-set dmz-net src >> -m nfacct --nfacct-name dmz_fwd >> -A accountfwd -m set --match-set dmz-net dst -m nfacct --nfacct-name dmz_fwd >> >> making it much more efficient. If you decide to do this, it won't be a >> walk in the park though, so I would suggest to leave it to the user to >> implement the order in which the matches are created. >> > > You can't have it both ways. You cannot have nfacct always last and > nfacct interspersed in the order specified. > Of course not, that wasn't my intention. I was thinking of having a way of "combining" these statements. If I was able to do that, then in the above example I could have something like: SECTION FORWARD NFACCT(all) \ NFACCT(dmz_fwd) - +dmz-net NFACCT(dmz_fwd) - - +dmz-net Note that the use of "\" (or any other "appropriate" symbol) is to indicate to shorewall to "combine" the rules into a single iptables statement. That would translate to: -A accountfwd -m nfacct --nfacct-name all -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_fwd Even if there are conditions for the first NFACCT rule, they will precede these for the second, like so: SECTION FORWARD NFACCT(not_all) - +sub-net \ NFACCT(dmz_fwd) - +dmz-net That would be translated to: -A accountfwd -m set --match-set sub-net src -m nfacct --nfacct-name not_all -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_fwd As I already indicated earlier, this certainly isn't easy, but if implemented properly, it would be more efficient as there are less rules to traverse - with accounting that is of importance since all packets normally pass through these chains. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
