>> SECTION INPUT >> NFACCT(all) \ >> NFACCT(marked) - - - - - 12 \ >> NFACCT(admin) - - - - - - root \ >> NFACCT(web) - +web[src,src] >> >> The above, if properly "combined" (and, of course, assuming that the "\" >> symbol activates it) could all be implemented with a single rule: >> >> -A accountin -m nfacct --nfacct-name all \ >> -m mark --mark 0xc -m nfacct --nfacct-name marked \ >> -m owner --uid-owner 0 -m nfacct --nfacct-name admin \ >> -m set --match-set web src,src -m nfacct --nfacct-name web >> > > I'll never implement that. > It isn't easy, I know.
>> If implementing this isn't possible or very difficult to do (at least >> for now), I have another possible alternative - implement INLINE in >> "accounting". >> > > That I can do. > I thought it might be a bit easier than the "\" symbol proposition. It will give me more freedom too. One additional question regarding chains: The man page says that regardless of whether I use SECTION or not, I can always create a custom chain. So, in order to create a "custom" sub-chain in the INPUT main chain, is the following the correct set of statements to use: SECTION INPUT eth0_in - eth0 NFACCT(eth0_in) eth0_in The aim is to produce the following set of rules: :eth0_in -A INPUT -i eth0 -j eth0_in -A eth0_in -m nfacct --nfacct-name eth0_in Have I got this right (the end result shown in the iptables rules above is what I am after)? ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
