On 4/19/13 2:57 PM, "Dash Four" <mr.dash.f...@googlemail.com> wrote:
> > >Tom Eastep wrote: >> 2) It is now possible to specify multiple nfacct objects in an NFACCT >> accounting rule. Where previously, the following rules were given: >> >> SECTION INPUT >> NFACCT(all) >> NFACCT(all_in) >> >> SECTION OUTPUT >> NFACCT(all) >> NFACCT(all_out) >> >> SECTION FORWARD >> NFACCT(all) >> NFACCT(all_fwd) >> >> It is now possible to do the same thing as follows: >> >> SECTION INPUT >> NFACCT(all,all_in) >> >> SECTION OUTPUT >> NFACCT(all,all_out) >> >> SECTION FORWARD >> NFACCT(all,all_fwd) >> >> 6) It is now possible to increment an nfacct counter when a packet >> matches an ipset. To do that, simply include the counter object's >> name in parentheses after the ipset specification. >> >> Examples: >> >> a) Increment the mysetcounter nfacct object when a packet's source >> matches myset. >> >> +myset[src](mysetcounter) >> >> b) Increment the mysetcounter1 and mysetcounter2 nfacct objects >> when a packet's sourcematches myset. >> >> +myset[src](mysetcounter1,mysetcounter2) >> >I am not sure about the implementation of last two items above. The >example I gave yesterday with using ipsets was just that - an example >(to illustrate my point). I could have used/added anything else, like: > >SECTION INPUT >NFACCT(all) \ >NFACCT(marked) - - - - - 12 \ >NFACCT(admin) - - - - - - root \ >NFACCT(web) - +web[src,src] > >The above, if properly "combined" (and, of course, assuming that the "\" >symbol activates it) could all be implemented with a single rule: > >-A accountin -m nfacct --nfacct-name all \ > -m mark --mark 0xc -m nfacct --nfacct-name marked \ > -m owner --uid-owner 0 -m nfacct --nfacct-name admin \ > -m set --match-set web src,src -m nfacct --nfacct-name web I'll never implement that. > >If implementing this isn't possible or very difficult to do (at least >for now), I have another possible alternative - implement INLINE in >"accounting". That I can do. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
