>>> Please post the action.IELOG file so I don't have to guess what it does. I described the function of that action in my post, but missed the most important part (which was ultimately the cause of this problem): The action takes 3 parameters: new (custom) disposition, new (custom) chain and NFLOG class. It creates one LOG and one NFLOG target statements. The action is not inline, though its "counterpart" - IELOG - is.
>> Never mind -- I've been able to reproduce this; it is a consequence of >> setting @chain. Now to understand why.... > > Here's a patch. Yep, that does the trick. However, I have found another issue: rules ~~~~~ SECTION ESTABLISHED IELOG(-,fw2NeT,2) $FW net ACCEPT $FW net udp ACCEPT $FW net tcp produces this: -A fw2net -m conntrack --ctstate ESTABLISHED -j LOG --log-tcp-options --log-ip-options --log-macdecode --log-tcp-sequence --log-uid --log-level 6 --log-prefix "Shorewall:fw2NeT::" -A fw2net -m conntrack --ctstate ESTABLISHED -j NFLOG --nflog-group 2 --nflog-range 0 --nflog-threshold 1 --nflog-prefix "Shorewall:fw2NeT::" -A fw2net -p 17 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A fw2net -p 6 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A fw2net -m conntrack --ctstate ESTABLISHED -j ACCEPT As evident, again, there is no optimisation on the "--cstate" at all. All the ESTABLISHED states should have been optimised away in a separate chain with a single --cstate match. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
