On 4/19/13 3:47 PM, "Dash Four" <mr.dash.f...@googlemail.com> wrote:
> >>> SECTION INPUT >>> NFACCT(all) \ >>> NFACCT(marked) - - - - - 12 \ >>> NFACCT(admin) - - - - - - root \ >>> NFACCT(web) - +web[src,src] >>> >>> The above, if properly "combined" (and, of course, assuming that the >>>"\" >>> symbol activates it) could all be implemented with a single rule: >>> >>> -A accountin -m nfacct --nfacct-name all \ >>> -m mark --mark 0xc -m nfacct --nfacct-name marked \ >>> -m owner --uid-owner 0 -m nfacct --nfacct-name admin \ >>> -m set --match-set web src,src -m nfacct --nfacct-name web >>> >> >> I'll never implement that. >> >It isn't easy, I know. > >>> If implementing this isn't possible or very difficult to do (at least >>> for now), I have another possible alternative - implement INLINE in >>> "accounting". >>> >> >> That I can do. >> >I thought it might be a bit easier than the "\" symbol proposition. It >will give me more freedom too. > >One additional question regarding chains: The man page says that >regardless of whether I use SECTION or not, I can always create a custom >chain. So, in order to create a "custom" sub-chain in the INPUT main >chain, is the following the correct set of statements to use: > >SECTION INPUT >eth0_in - eth0 >NFACCT(eth0_in) eth0_in > >The aim is to produce the following set of rules: > >:eth0_in >-A INPUT -i eth0 -j eth0_in >-A eth0_in -m nfacct --nfacct-name eth0_in > >Have I got this right (the end result shown in the iptables rules above >is what I am after)? Yes. But the actual set of rules will be: -A INPUT -j accountin -A accounting -I eth0 -j eth0_in -A eth0_in -m nfacct --nfacct-name eth0_in -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
