On 4/21/13 7:18 PM, "Dash Four" <[email protected]> wrote:
> >Dash Four wrote: >> The idea is very simple, although I admit the implementation of it >> might be a bit challenging: when I have a bunch of "important" rules >> in "rules", which I need counted towards traffic, I'd like to simply >> add an nfacct object name, using the same set of rules specified in a >> particular "rules" statement to count packets/bytes, but with 2 very >> important exceptions: >> >> 1. The state of that accounting rule must be ignored (so that I always >> count packets/bytes, regardless of what state that connection is, >> although using the same constraints - understand matches - I used to >> construct the original "rules" rule); and >> 2. That accounting rule needs to satisfy the same chain conditions for >> which the original "rules" rule was specified. >That's not as easy as I thought it would be - the rules in "rules" >describe one part of the connection as the opposite part is usually >accepted as the cstate is ESTABLISHED. What that means in practice is, >if the above is to be implemented, then it has to apply to both side of >the connection, reversing the matches and I think that is a bridge too >far - I don't know how it could be done! Yep -- I had already realized that. I'm not sure that I could ever get that right... -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
