On 02/02/2013 05:58 PM, Mr Dash Four wrote: > >>>> Please post the action.IELOG file so I don't have to guess what it does. > I described the function of that action in my post, but missed the most > important part (which was ultimately the cause of this problem): The action > takes 3 parameters: new (custom) disposition, new (custom) chain and NFLOG > class. It creates one LOG and one NFLOG target statements. The action is not > inline, though its "counterpart" - IELOG - is. > >>> Never mind -- I've been able to reproduce this; it is a consequence of >>> setting @chain. Now to understand why.... >> >> Here's a patch. > Yep, that does the trick. However, I have found another issue: > > rules > ~~~~~ > SECTION ESTABLISHED > IELOG(-,fw2NeT,2) $FW net > ACCEPT $FW net udp > ACCEPT $FW net tcp > > produces this: > > -A fw2net -m conntrack --ctstate ESTABLISHED -j LOG --log-tcp-options > --log-ip-options --log-macdecode --log-tcp-sequence --log-uid --log-level 6 > --log-prefix "Shorewall:fw2NeT::" > -A fw2net -m conntrack --ctstate ESTABLISHED -j NFLOG --nflog-group 2 > --nflog-range 0 --nflog-threshold 1 --nflog-prefix "Shorewall:fw2NeT::" > -A fw2net -p 17 -m conntrack --ctstate ESTABLISHED -j ACCEPT > -A fw2net -p 6 -m conntrack --ctstate ESTABLISHED -j ACCEPT > -A fw2net -m conntrack --ctstate ESTABLISHED -j ACCEPT > > As evident, again, there is no optimisation on the "--cstate" at all. All the > ESTABLISHED states should have been optimised away in a separate chain with a > single --cstate match.
I haven't place ESTABLISHED in it's own chain, primarily because I haven't found a use case for ESTABLISHED rules at all. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
