Shorewall 4.4.17 Beta 3 is now ready for testing. I apologize for the rabid-fire betas but I'm eager to release this functionality.
Problems Corrected:
1) If the SOURCE column in /etc/shorewall6/rules contained an IPv6
address enclosed in [...], a spurious error was generated:
ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20)
The error did not occur if <...> was used to enclose the IPv6
address.
2) Two compiler defects in module loading have been corrected:
a) Previously, the kernel/net/ipv6/netfilter/ directory was not
searched.
b) A Perl diagnostic was issued when running on a monolithic kernel
when the modutils package was installed.
New Features:
1) The treatment of run-time address variables when an optional
interface is unavailable has changed. Originally, the nil IP
address was substituted (0.0.0.0 for IPv4 and :: for IPv6). Now,
the generated rules that would contain the address are omitted from
the ruleset.
2) This release adds support for per-IP accounting using the ACCOUNT
target. That target is only available when xtables-addons is
installed. This support has been successfully tested with
xtables-addons 1.32 on:
- Fedora 14
- Debian Squeeze
Versions of xtables-addons supporting the ACCOUNT target do not
install successfully on Debian Lenny.
Information about xtables-addons installation may be found at
http://www.shorewall.net/Dynamic.html#xtables-addons
This feature required addition of the "ACCOUNT Target" capability
so if you use a capabilities file, you will want to refresh it
after installing this release.
Per-IP accounting is configured in /etc/shorewall/accounting (it is
not currently supported in IPv6). In the ACTION column, enter:
ACCOUNT(<table>,<network>)
where:
<table> is the name of an accounting table (you choose the
name). Rules specifying the same table will have their
per-IP counters accumulated in that table.
<network> is an IPv4 in CIDR format. May be as large as a /8.
Example: Suppose your WAN interface is eth0 and your LAN interface
is eth1 with network 172.20.1.0/24. To account for all
traffic between the WAN and LAN interfaces:
#ACTION TABLE SOURCE DEST ...
ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
ACCOUNT(net-loc,172.20.1.0/24) - eth0 eth1
This will create a net-loc table for counting packets and
bytes for traffic between the two interfaces. The table is dumped
using the iptaccount utility:
iptaccount [-f] -l net-loc
For each local IP address with non-zero counters, the packet and
byte count for both incoming traffic (IP is DST) and outgoing
traffic (IP is SRC) are listed. The -f option causes the table to
be flushed (reset all counters to zero).
One nice feature of per-IP accounting is that the counters survive
'shorewall restart'. This has a downside, however. If you change
the <network> associated with an accounting table, then you must
"shorewall stop; shorewall start" to have a successful restart
(counters will be cleared).
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
