Tom Eastep wrote:
> I've uploaded Beta 6 for testing.
>
> Problem Corrected update:
>
> 1) Previously, NFACCT accounting rules generated iptables rules with
> the matches in the incorrect order. That caused the counters to be
> incremented before all of the matches had been checked. Now, the
> counter in an NFACCT rule is incremented only if all of the other
> matches have been successful.
>
> To allow a nfobject to be incremented unconditionally, you may
> follow the closing parenthesis with '!' (e.g., NFACCT(all)!). When
> '!' is omitted, the object is incremented only if all of the rule's
> matches succeed.
>
> "!" is useful in the following rule:
>
> NFACCT(all) - +fooset[src] +barset[dst](foobar)
>
> In this rule, the 'all' nfacc counter is incremented
> unconditionally while the foobar counter is only incremented if
> the packet SOURCE address is in fooset and the DEST address is in
> barset.
>
There is no "!" after NFACCT(all).
> New Features:
>
> 1) The INLINE action is also supported in the accounting file. INLINE
> is treated the same as COUNT with the exception that the freeform
> iptables input following the ';' is appended to any matches
> generated by the column contents. In the accounting file, INLINE
> does not accept a parameter.
>
Is there an "automatic" addition of nfacct objects implemented in INLINE
("nfacct add <obj>")? For example:
INLINE ; -m nfacct --nfacct-name test
With the above, do I have to manually add "test" or is there some magic
shorewall could do to automate that?
> This change will cause the order of matches in iptables rules to be
> different from in previously releases. Please report any
> differences that you find that are not simple match reorderings.
>
I'll have more time to test this if not later on, then tomorrow.
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
