Tom Eastep wrote: > On Jun 1, 2013, at 12:45 PM, Tom Eastep <[email protected]> wrote: > > >> The rules generated by SFLOG are: >> >> NF-(A)-> filter:SFLOG:1 -A SFLOG -m condition >> --condition SFLOG_log_test_related -j ACCEPT >> NF-(A)-> filter:SFLOG:2 -A SFLOG -j ACCEPT >> >> Given that the chain ends in an unconditional '-J ACCEPT', the preceding >> rule is optimized away since the packet will be ACCEPTed regardless of >> whether the condition matches. Further optimization compiles the -m set >> match with -j ACCEPT and the SFLOG rule is deleted. >> > > The attached patch prevents this type of optimization of rules containing an > nfacct match. > I've just reverted to the previous release as the "shorewall experience" of this one is not even beta quality for me - truly appalling.
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
