On 04/19/2013 09:51 AM, Tom Eastep wrote:
> On 04/18/2013 04:47 PM, Dash Four wrote:
>
>>> Let me think about it a while...
>>>
>> No problem, take your time - I know it isn't straight-forward, but I
>> think it would be worth it in the end as there is a lot to be gained,
>> certainly from a performance point of view.
>
> The attached small patch allows for incrementing an nfacct counter when
> an IPSET is match.
>
> For some time, the following has been supported:
>
> +"["{<set>["["<src-dst-list>"]"]}[,...]"]"
>
> where "[" and "]" are square brackets while [ and ] are meta-symbols.
>
> The new syntax is:
>
> +"["{<set>["["<src-dst-list>"]"][(<nfacct-object-list>)]}
> [,...]"]"
>
>
> Your original rule list was:
>
> SECTION INPUT
> NFACCT(all)
> NFACCT(dmz_in) - +dmz-net
>
> SECTION OUTPUT
> NFACCT(all)
> NFACCT(dmz_out) - - +dmz-net
>
> SECTION FORWARD
> NFACCT(all)
> NFACCT(dmz_fwd) - +dmz-net
> NFACCT(dmz_fwd) - - +dmz-net
>
> With this patch, you can now have:
>
> SECTION INPUT
> NFACCT(all) - +[dmz-net(dmz_in)]
>
> SECTION OUTPUT
> NFACCT(all) - - +[dmz-net(dmz_out)]
>
> SECTION FORWARD
> NFACCT(all) - +[dmz-net(dmz_fwd)]
> COUNT - - +[dmz-net(dmz_fwd)]
>
> This set of rules produces:
>
> -A accountfwd -m nfacct --nfacct-name all -m set --match-set dmz-net \
> src -m nfacct --nfacct-name dmz_fwd
> -A accountfwd -m set --match-set dmz-net(dmz_fwd) dst
> -A accountin -m nfacct --nfacct-name all \
> -m set --match-set dmz-net src -m nfacct --nfacct-name dmz_in
> -A accountout -m nfacct --nfacct-name all -m set --match-set \
> dmz-net(dmz_out) dst
>
> One consequence of this patch is that now both 'set' and 'nfacct' go to
> the end of the rule.
>
> Another thing to note is that this feature can be used anywhere that
> ipsets are allowed; it is not restricted to the accounting file.
>
> Finally, the +[....] form must be used;
> +<set>...(<nfacct-object-list>) is not supported.Please hold off on this for a while -- I just realized that it is incomplete. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
