On 05/17/2011 02:27 AM, Ed W wrote: > On 17/05/2011 00:23, Tom Eastep wrote: >> >> On May 16, 2011, at 10:51 AM, Ed W wrote: >> >>> Anyone? >>> >>> To rephrase the question - I need to maintain a separate iptables rule >>> which has to match (and nf_log) ALL traffic. How to best maintain such >>> an additional iptables line to exist past restarts, etc? (probably >>> externally, but how?) >> >> No single rule can do what you want because there is no single chain through >> which all traffic flows so you need more than one. But you can add them in >> the 'start' extension script. > > Thanks Tom > > Looking at the accounting man pages, it seems like the "feature" would > be to allow DONE:NFLOG and COUNT:NFLOG in the accounting rules? I > haven't yet pulled out of the code to understand how tricky this is, but > I accept your reply that it's not straightforward for now!
The problem is that all of Shorewall's logging infrastructure assumes that you want to pass each log message through the rate-limiting restrictions imposed by LOGBURST and LOGLIMIT. That clearly doesn't work when you are trying to use the log messages for accounting purposes. > > The only thing I haven't considered properly is whether I have all the > info at this chain to decide how the packet will be routed (which > interface), but I *think* I do since the current design should use > firewall marks to choose routing options... > > I guess logging a bonded VPN over some advanced split routing with > probabilistic routing isn't going to be correctly logged this way... The difficulty of correct VPN accounting depends on the VPN technology you are using. > > Any other tips for best location (chains) to place these logging rules? > To recap we have several internet connections which have variable cost > and we will use NFLOG to examine every packet to read it's mark and bill > the sender appropriately. If you only want to log messages leaving the firewall (download traffic would be accounted as it leaves the local firewall interfaces), then you could do it in the POSTROUTING mangle chain. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
