Are ipsets implemented in "accounting"? According to the man page that isn''t the case. If so, would it be possible for this to be added? Also, currently only interface-based accounting is possible. Was there any reason for doing this instead of using zones as is the case everywhere else? Is it possible for zones to be introduced in "accounting"? One last query regarding this: provided I use ACCOUNTING_TABLE=mangle, the way I understand it I could use either PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING sections (with no chain specified) or no sections and the chain specified as one of accountin, accountout, accountfwd, accountpre and accountpost, but I cannot mix-and-match (in other words, use accountpost chain in PREROUTING section) is that correct? ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
On 02/02/2013 05:59 PM, Mr Dash Four wrote:> Are ipsets implemented in "accounting"? According to the man page > that isn''t the case. If so, would it be possible for this to be > added?ipsets are already supported.> > Also, currently only interface-based accounting is possible. Was > there any reason for doing this instead of using zones as is the case > everywhere else?Zones are security-oriented objects. So for uses which don''t deal with traffic authorization, zones aren''t supported. Plus the cost of adding zone support to one of the files is high. Is it possible for zones to be introduced in "accounting"? Possible, but I really don''t want to do it.> > One last query regarding this: provided I use > ACCOUNTING_TABLE=mangle, the way I understand it I could use either > PREROUTING, INPUT, OUTPUT, FORWARD and POSTROUTING sections (with no > chain specified) or no sections and the chain specified as one of > accountin, accountout, accountfwd, accountpre and accountpost, but I > cannot mix-and-match (in other words, use accountpost chain in > PREROUTING section) is that correct?No. When the file is sectioned, the default chain (when ''-'' appears in the CHAIN column) are accountin, accountout, ....; but you can still specify them explicitly if you choose. I don''t recommend an un-sectioned accounting file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
> Is it possible for zones to be introduced in "accounting"? > > Possible, but I really don''t want to do it. >Fair enough. I am planning a major overhaul of my accounting (which has been in place - more or less untouched - since 4.3) and will use zones (which often include more than one interface), but I guess if I employ nfacct and use the same target for all interfaces from a particular zone the end result will be the same, so no biggie.> No. When the file is sectioned, the default chain (when ''-'' appears in > the CHAIN column) are accountin, accountout, ....; but you can still > specify them explicitly if you choose. > > I don''t recommend an un-sectioned accounting file. >Got it, thanks! Out of interest - why did you introduce sections when one could use different chains in a particular section, which defeats the purpose of using sections a bit? ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan