Tom Eastep wrote: > On 04/20/2013 12:10 PM, Tom Eastep wrote: > >> What if we simply add a new NFACCT column to the POLICY file to name the >> counter you want to use for traffic between the specified pair of zones? >> The compiler could then insert an nfacct match rules as the first entry >> in the corresponding rules chain. >> > > I guess that you want finer-grained accounting than that? > I am not sure I understand you Tom.
The idea is very simple, although I admit the implementation of it might be a bit challenging: when I have a bunch of "important" rules in "rules", which I need counted towards traffic, I'd like to simply add an nfacct object name, using the same set of rules specified in a particular "rules" statement to count packets/bytes, but with 2 very important exceptions: 1. The state of that accounting rule must be ignored (so that I always count packets/bytes, regardless of what state that connection is, although using the same constraints - understand matches - I used to construct the original "rules" rule); and 2. That accounting rule needs to satisfy the same chain conditions for which the original "rules" rule was specified. I'll use the example I gave earlier to better illustrate my point: rules ~~~~~ SECTION NEW #ACTION SOURCE DEST [... other columns ...] NFACCT [...] ACCEPT net $FW:+web-ports [... other columns ...] web The above will produce iptables rule which will only be executed when the state of the connection is NEW. In other words, the above statement will be translated by shorewall to: -A net2fw -m set --match-set web-ports dst What I'd also like to have (which is indicated by the word "web" present in the NFACCT column above) is to have the "same" rule applied in order to count bytes/packets for the "web" nfacct object. In other words, by including "web" in the NFACCT column, to ask shorewall to produce the following rule: -A net2fw -m set --match-set web-ports src -m nfacct --nfacct-name web The above statement *must* use the same chain structure I used in "rules": INPUT -> net2fw (with the possible exception that the chain could be INPUT -> accountin -> net2fw if that is more desirable) so that "net2fw" is traversed only when the "net" zone interface is hit - exactly the same as in "net2fw" in rules. That way, by only specifying the accounting object name in the "new" NFACCT column as part of my "rules", I'll save myself the horror of having to "clone" (and further maintain) about 80% of my accounting rules, which would be of great benefit, obviously. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
