Dash Four wrote: > The idea is very simple, although I admit the implementation of it > might be a bit challenging: when I have a bunch of "important" rules > in "rules", which I need counted towards traffic, I'd like to simply > add an nfacct object name, using the same set of rules specified in a > particular "rules" statement to count packets/bytes, but with 2 very > important exceptions: > > 1. The state of that accounting rule must be ignored (so that I always > count packets/bytes, regardless of what state that connection is, > although using the same constraints - understand matches - I used to > construct the original "rules" rule); and > 2. That accounting rule needs to satisfy the same chain conditions for > which the original "rules" rule was specified. That's not as easy as I thought it would be - the rules in "rules" describe one part of the connection as the opposite part is usually accepted as the cstate is ESTABLISHED. What that means in practice is, if the above is to be implemented, then it has to apply to both side of the connection, reversing the matches and I think that is a bridge too far - I don't know how it could be done!
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
