Tom Eastep wrote: > I've uploaded Beta 6 for testing. > > Problem Corrected update: > > 1) Previously, NFACCT accounting rules generated iptables rules with > the matches in the incorrect order. That caused the counters to be > incremented before all of the matches had been checked. Now, the > counter in an NFACCT rule is incremented only if all of the other > matches have been successful. > > To allow a nfobject to be incremented unconditionally, you may > follow the closing parenthesis with '!' (e.g., NFACCT(all)!). When > '!' is omitted, the object is incremented only if all of the rule's > matches succeed. > > "!" is useful in the following rule: > > NFACCT(all) - +fooset[src] +barset[dst](foobar) > > In this rule, the 'all' nfacc counter is incremented > unconditionally while the foobar counter is only incremented if > the packet SOURCE address is in fooset and the DEST address is in > barset. > This looks pretty good - with and without "!"...
> New Features: > > 1) The INLINE action is also supported in the accounting file. INLINE > is treated the same as COUNT with the exception that the freeform > iptables input following the ';' is appended to any matches > generated by the column contents. In the accounting file, INLINE > does not accept a parameter. > ... and so does this, though I'll give it a more thorough look tomorrow night. > This change will cause the order of matches in iptables rules to be > different from in previously releases. Please report any > differences that you find that are not simple match reorderings. > OK, the main thing I've found so far is that shorewall does not touch the order of statements after ";" this time (compared to "rules"), so if I specify "INLINE ; -m nfacct --nfacct-name test -p 6 -m set --match-set test src --dport 1234" that passes as-is (that, obviously, won't pass iptables, but I am pleased that the order is preserved in whatever I throw after ";"). ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
