> Why does it have to be a separate set of chains? If you are using > nfacct, why not just bump the accounting objects in the rules chains? > Because of the connection state.
Most (if not all) of the rules present in "rules" depend on or are executed only when a certain connection state matches. So if I just include the nfacct object as part of the original rules (in "rules") as you suggest, then I am only going to count packets in the state in which that particular SECTION operates, which is, obviously, not what counts (pun intended). Even if I use SECTION ALL rules, then I have to duplicate (and maintain) stuff there as well. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
