Re: [Shorewall-devel] Shorewall 4.4.17 Beta 3 (includes efficient per-IP accounting)

Thu, 03 Feb 2011 09:29:58 -0800 

On 2/2/11 2:44 PM, Steven Jan Springl wrote:
> Tom
> 
> If OPTIMIZE_ACCOUNTING=Yes and there is just one rule in the accounting file 
> eg:
> 
> ACCOUNTING(net2lan,192.168.0.0/24)  -  eth0  eth1
> 
> The following error messages are produced from a shorewall debug start ...
> 
> iptables v1.4.10: Can't use -o with INPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A INPUT -i eth0 -o eth1 -j 
> ACCOUNT --addr 192.168.0.0/24 --tname net2lan" Failed
> 
> If the rule is changed to:
> 
> ACCOUNTING(net2lan,192.168.0.0/24)  -  eth0  -
> 
> then the following messages are produced:
> 
> iptables v1.4.10: Can't use -i with OUTPUT
> 
> ERROR: Command "/usr/local/sbin/iptables -A OUTPUT -i eth0 -j ACCOUNT --addr 
> 192.168.0.0/24 --tname net2lan" Failed
> 
> If OPTIMIZE_ACCOUNTING=No or there is more than one rule in the accounting 
> file eg duplicate the rule, then the error does not occur.

Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm 
b/Shorewall/Perl/Shorewall/Chains.pm
index cffb24b..d224130 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1267,7 +1267,7 @@ sub ensure_accounting_chain( $$ )
        $chainref->{accounting} = 1;
        $chainref->{referenced} = 1;
        $chainref->{ipsec}      = $ipsec;
-       $chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING};
+       $chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING} && 
$chain ne 'accounting';
 
        if ( $chain ne 'accounting' ) {
            my $file = find_file $chain;

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to