On 17/05/2011 00:23, Tom Eastep wrote: > > On May 16, 2011, at 10:51 AM, Ed W wrote: > >> Anyone? >> >> To rephrase the question - I need to maintain a separate iptables rule >> which has to match (and nf_log) ALL traffic. How to best maintain such >> an additional iptables line to exist past restarts, etc? (probably >> externally, but how?) > > No single rule can do what you want because there is no single chain through > which all traffic flows so you need more than one. But you can add them in > the 'start' extension script.
Thanks Tom Looking at the accounting man pages, it seems like the "feature" would be to allow DONE:NFLOG and COUNT:NFLOG in the accounting rules? I haven't yet pulled out of the code to understand how tricky this is, but I accept your reply that it's not straightforward for now! The only thing I haven't considered properly is whether I have all the info at this chain to decide how the packet will be routed (which interface), but I *think* I do since the current design should use firewall marks to choose routing options... I guess logging a bonded VPN over some advanced split routing with probabilistic routing isn't going to be correctly logged this way... Any other tips for best location (chains) to place these logging rules? To recap we have several internet connections which have variable cost and we will use NFLOG to examine every packet to read it's mark and bill the sender appropriately. Cheers Ed W ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
