On Jun 1, 2013, at 3:36 PM, Dash Four <[email protected]> wrote:
> > Tom Eastep wrote: >> On Jun 1, 2013, at 12:45 PM, Tom Eastep <[email protected]> wrote: >> >> >>> The rules generated by SFLOG are: >>> >>> NF-(A)-> filter:SFLOG:1 -A SFLOG -m condition >>> --condition SFLOG_log_test_related -j ACCEPT >>> NF-(A)-> filter:SFLOG:2 -A SFLOG -j ACCEPT >>> >>> Given that the chain ends in an unconditional '-J ACCEPT', the preceding >>> rule is optimized away since the packet will be ACCEPTed regardless of >>> whether the condition matches. Further optimization compiles the -m set >>> match with -j ACCEPT and the SFLOG rule is deleted. >>> >> >> The attached patch prevents this type of optimization of rules containing an >> nfacct match. >> > I've just reverted to the previous release as the "shorewall experience" > of this one is not even beta quality for me - truly appalling. Certainly your choice, but with the exception of the spurious warning messages, you have reported nothing that was introduced in this release that I plan on changing. The behavior I describe above, for example, is present in several prior releases. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
