On 4/18/13 4:15 PM, "Dash Four" <mr.dash.f...@googlemail.com> wrote:
> >I presume if I include conditions (like +dmz-net in SOURCE or DEST for >example), I would see these preceding the nfacct match right? Correct. There is a fix for that feature attached. >Of course not, that wasn't my intention. I was thinking of having a way >of "combining" these statements. If I was able to do that, then in the >above example I could have something like: > >SECTION FORWARD >NFACCT(all) \ >NFACCT(dmz_fwd) - +dmz-net >NFACCT(dmz_fwd) - - +dmz-net > >Note that the use of "\" (or any other "appropriate" symbol) is to >indicate to shorewall to "combine" the rules into a single iptables >statement. That would translate to: > >-A accountfwd -m nfacct --nfacct-name all -m set --match-set dmz-net src >-m nfacct --nfacct-name dmz_fwd > >Even if there are conditions for the first NFACCT rule, they will >precede these for the second, like so: > >SECTION FORWARD >NFACCT(not_all) - +sub-net \ >NFACCT(dmz_fwd) - +dmz-net > >That would be translated to: > >-A accountfwd -m set --match-set sub-net src -m nfacct --nfacct-name >not_all -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_fwd > >As I already indicated earlier, this certainly isn't easy, but if >implemented properly, it would be more efficient as there are less rules >to traverse - with accounting that is of importance since all packets >normally pass through these chains. Let me think about it a while... -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice.
NFACCT2.patch
Description: Binary data
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
