On Jun 1, 2013, at 12:45 PM, Tom Eastep <[email protected]> wrote:
>> > > The rules generated by SFLOG are: > > NF-(A)-> filter:SFLOG:1 -A SFLOG -m condition > --condition SFLOG_log_test_related -j ACCEPT > NF-(A)-> filter:SFLOG:2 -A SFLOG -j ACCEPT > > Given that the chain ends in an unconditional '-J ACCEPT', the preceding rule > is optimized away since the packet will be ACCEPTed regardless of whether the > condition matches. Further optimization compiles the -m set match with -j > ACCEPT and the SFLOG rule is deleted. The attached patch prevents this type of optimization of rules containing an nfacct match. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
OPTNFACCT.patch
Description: Binary data
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
