On 04/18/2013 04:47 PM, Dash Four wrote: >> Let me think about it a while... >> > No problem, take your time - I know it isn't straight-forward, but I > think it would be worth it in the end as there is a lot to be gained, > certainly from a performance point of view.
The attached small patch allows for incrementing an nfacct counter when
an IPSET is match.
For some time, the following has been supported:
+"["{<set>["["<src-dst-list>"]"]}[,...]"]"
where "[" and "]" are square brackets while [ and ] are meta-symbols.
The new syntax is:
+"["{<set>["["<src-dst-list>"]"][(<nfacct-object-list>)]}
[,...]"]"
Your original rule list was:
SECTION INPUT
NFACCT(all)
NFACCT(dmz_in) - +dmz-net
SECTION OUTPUT
NFACCT(all)
NFACCT(dmz_out) - - +dmz-net
SECTION FORWARD
NFACCT(all)
NFACCT(dmz_fwd) - +dmz-net
NFACCT(dmz_fwd) - - +dmz-net
With this patch, you can now have:
SECTION INPUT
NFACCT(all) - +[dmz-net(dmz_in)]
SECTION OUTPUT
NFACCT(all) - - +[dmz-net(dmz_out)]
SECTION FORWARD
NFACCT(all) - +[dmz-net(dmz_fwd)]
COUNT - - +[dmz-net(dmz_fwd)]
This set of rules produces:
-A accountfwd -m nfacct --nfacct-name all -m set --match-set dmz-net \
src -m nfacct --nfacct-name dmz_fwd
-A accountfwd -m set --match-set dmz-net(dmz_fwd) dst
-A accountin -m nfacct --nfacct-name all \
-m set --match-set dmz-net src -m nfacct --nfacct-name dmz_in
-A accountout -m nfacct --nfacct-name all -m set --match-set \
dmz-net(dmz_out) dst
One consequence of this patch is that now both 'set' and 'nfacct' go to
the end of the rule.
Another thing to note is that this feature can be used anywhere that
ipsets are allowed; it is not restricted to the accounting file.
Finally, the +[....] form must be used;
+<set>...(<nfacct-object-list>) is not supported.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index a8a98cb..e48551d 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -649,6 +649,7 @@ our %opttype = ( rule => CONTROL,
targetopts => TARGET,
nfacct => LAST,
+ set => LAST,
);
our %aliases = ( protocol => 'p',
@@ -5430,7 +5431,7 @@ sub match_source_net( $;$\$ ) {
return do_mac $net;
}
- if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?/ ) {
+ if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?$/ ) {
return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
}
@@ -5441,8 +5442,13 @@ sub match_source_net( $;$\$ ) {
fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
- fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
- $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
+ fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
+ $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'src' ) );
+ if ( $3 ) {
+ require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
+ my @objects = split_list $3, 'nfacct';
+ $result .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects;
+ }
}
return $result;
@@ -5503,7 +5509,7 @@ sub imatch_source_net( $;$\$ ) {
return do_imac $net;
}
- if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?/ ) {
+ if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?$/ ) {
return ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ) );
}
@@ -5514,8 +5520,13 @@ sub imatch_source_net( $;$\$ ) {
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
for $net ( @sets ) {
- fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
- push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ) );
+ fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
+ push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
+ if ( $3 ) {
+ require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
+ my @objects = split_list $3, 'nfacct';
+ push( @result, ( nfacct => "--nfacct-name $_" ) ), $nfobjects{$_} = 1 for @objects;
+ }
}
return \@result;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
