On 04/20/2013 11:57 AM, Dash Four wrote: > >> Why does it have to be a separate set of chains? If you are using >> nfacct, why not just bump the accounting objects in the rules chains? >> > Because of the connection state. > > Most (if not all) of the rules present in "rules" depend on or are > executed only when a certain connection state matches. So if I just > include the nfacct object as part of the original rules (in "rules") as > you suggest, then I am only going to count packets in the state in which > that particular SECTION operates, which is, obviously, not what counts > (pun intended). Even if I use SECTION ALL rules, then I have to > duplicate (and maintain) stuff there as well.
What if we simply add a new NFACCT column to the POLICY file to name the counter you want to use for traffic between the specified pair of zones? The compiler could then insert an nfacct match rules as the first entry in the corresponding rules chain. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
