Tom Eastep wrote:
> 2) It is now possible to specify multiple nfacct objects in an NFACCT
> accounting rule. Where previously, the following rules were given:
>
> SECTION INPUT
> NFACCT(all)
> NFACCT(all_in)
>
> SECTION OUTPUT
> NFACCT(all)
> NFACCT(all_out)
>
> SECTION FORWARD
> NFACCT(all)
> NFACCT(all_fwd)
>
> It is now possible to do the same thing as follows:
>
> SECTION INPUT
> NFACCT(all,all_in)
>
> SECTION OUTPUT
> NFACCT(all,all_out)
>
> SECTION FORWARD
> NFACCT(all,all_fwd)
>
> 6) It is now possible to increment an nfacct counter when a packet
> matches an ipset. To do that, simply include the counter object's
> name in parentheses after the ipset specification.
>
> Examples:
>
> a) Increment the mysetcounter nfacct object when a packet's source
> matches myset.
>
> +myset[src](mysetcounter)
>
> b) Increment the mysetcounter1 and mysetcounter2 nfacct objects
> when a packet's sourcematches myset.
>
> +myset[src](mysetcounter1,mysetcounter2)
>
I am not sure about the implementation of last two items above. The
example I gave yesterday with using ipsets was just that - an example
(to illustrate my point). I could have used/added anything else, like:
SECTION INPUT
NFACCT(all) \
NFACCT(marked) - - - - - 12 \
NFACCT(admin) - - - - - - root \
NFACCT(web) - +web[src,src]
The above, if properly "combined" (and, of course, assuming that the "\"
symbol activates it) could all be implemented with a single rule:
-A accountin -m nfacct --nfacct-name all \
-m mark --mark 0xc -m nfacct --nfacct-name marked \
-m owner --uid-owner 0 -m nfacct --nfacct-name admin \
-m set --match-set web src,src -m nfacct --nfacct-name web
If implementing this isn't possible or very difficult to do (at least
for now), I have another possible alternative - implement INLINE in
"accounting".
That way, I could design the rules myself the way I want it. This
though, may require a bit more than the INLINE implemented in
rules/blrules. What shorewall currently does when it encounters "NFACCT"
in "accounting" is that in addition to producing the nfacct match, it
also adds a bunch of statements to create the nfacct object itself using
the nfacct executable.
To facilitate INLINE in "accounting" (if you are inclined to go that
route), you can define a specific keyword (say "NFACCT(obj_name)"),
which, if encountered after the ";" symbol, adds the appropriate nfacct
match ("-m nfacct --nfacct-name obj_name") at the specified position, as
well as adding the appropriate statement for creating the accounting
object itself ("nfacct add obj_name" for example).
So, using the above example, if you decide to go the INLINE route, in
order to produce the same iptables rule as above, all what's needed is this:
SECTION INPUT
INLINE ; NFACCT(all) -m mark --mark 0xc NFACCT(marked) -m owner
--uid-owner 0 NFACCT(admin) -m set --match-set web src,src NFACCT(web)
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
