Re: [Shorewall-devel] Shorewall 4.4.17 Beta 3 (includes efficient per-IP accounting)

[Tom Eastep]

On 2/2/11 3:05 PM, Steven Jan Springl wrote:

> If the accounting file countains two ACCOUNT rules that specify the same 
> table 
> name but different networks eg
> 
> ACCOUNT(net2lan,192.168.0.0/24)  -  eth0  eth1
> ACCOUNT(net2lan,10.1.0.0/16)  -  eth0  eth1
> 
> Then a shorewall debug start produces the following error messages:
> 
> iptables: Invalid argument. Run `dmesg' for more information.
> 
> ERROR: Command "/usr/local/sbin/iptables -A accounting -i eth0 -o eth1 -j 
> ACCOUNT --addr 10.1.0.0/16 --tname net2lan" Failed
> 
> The output from dmesg is:
> 
> [18807.006707] ACCOUNT: Table net2lan found, but IP/netmask mismatch. 
> IP/netmask found: 192.168.0.0/255.255.255.0
> 
> [18807.006714] ACCOUNT: Table insert problem. Aborting

Patch attached.

Thanks again, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Accounting.pm 
b/Shorewall/Perl/Shorewall/Accounting.pm
index 718a091..87462c9 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -38,11 +38,17 @@ our @EXPORT_OK = qw( );
 our $VERSION = '4.4.17';
 
 #
+# Per-IP accounting tables. Each entry contains the associated network.
+#
+our %tables;
+
+#
 # Called by the compiler to [re-]initialize this module's state
 #
 sub initialize() {
     our $jumpchainref;
     $jumpchainref = undef;
+    %tables       = ();
 }
 
 #
@@ -113,6 +119,14 @@ sub process_accounting_rule( ) {
                fatal_error "Invalid Network Address ($net)" unless defined 
$net   && $net =~ '/(\d+)$';
                fatal_error "Netmask ($1) out of range"      unless $1 >= 8;
                validate_net $net, 0;
+
+               my $prevnet = $tables{$table};
+               if ( $prevnet ) {
+                   fatal_error "Previous net associated with $table ($prevnet) 
does not match this one ($net)" unless $net eq $prevnet;
+               } else {
+                   $tables{$table} = $net;
+               }
+
                $target = "ACCOUNT --addr $net --tname $table";
            } else {
                fatal_error "Invalid ACCOUNT Action";

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel