Hey all, This should be a quick answer to a quick question: Mostly out of curiosity, I want to add an accounting rule to count all packets that get Dropped by my Shorewall configuration. Unfortunately, the obvious COUNT Drop rule added to the accounting file doesn''t work: I get the following error: iptables: Chain already exists ERROR: Command "/sbin/iptables -N Drop" Failed It seems that by adding that accounting rule, Shorewall is now trying to create the Drop chain? Why isn''t it just adding the necessary accounting rules to the Drop chain, as it already exists by default? What am I doing wrong here? Thanks, Travis -- "The reader is entertained by the journey of another, but the writer is the changer of worlds." - D''ni Proverb 0100111001000101010100100100010000100001 ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Travis Veazey wrote:> Hey all, > > This should be a quick answer to a quick question: Mostly out of > curiosity, I want to add an accounting rule to count all packets that > get Dropped by my Shorewall configuration. Unfortunately, the obvious > > COUNT Drop > > rule added to the accounting file doesn''t work: I get the following error: > > iptables: Chain already exists > ERROR: Command "/sbin/iptables -N Drop" Failed > > > It seems that by adding that accounting rule, Shorewall is now trying to > create the Drop chain? Why isn''t it just adding the necessary accounting > rules to the Drop chain, as it already exists by default? What am I > doing wrong here?The Shorewall accounting file does not provide a way to add rules to arbitrary chains. And, as you''ve discovered, Shorewall-shell (or possibly an ancient version of Shorewall) isn''t particularly friendly about reminding you of the fact. If you want to add a dummy counting rule to the front of the Drop chain, add this to your /etc/shorewall/start file: run_iptables -I Drop ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword
Shorewall Guy wrote:> > The Shorewall accounting file does not provide a way to add rules to > arbitrary chains. And, as you''ve discovered, Shorewall-shell (or > possibly an ancient version of Shorewall) isn''t particularly friendly > about reminding you of the fact. > > If you want to add a dummy counting rule to the front of the Drop chain, > add this to your /etc/shorewall/start file: > > run_iptables -I DropIn Shorewall-perl 4.2.6, we will support a COUNT action. This action may be used in action bodies, macro bodies and in the rules file. COUNT creates a rule with no target so it simply counts the packets that match the rule. Note that placing a no-target rule at the front of the Drop chain will only count packets dropped *by DROP policies*; packets dropped by DROP rules will not be counted. Nevertheless, it seemed like what you were trying to count was generally useful enough that I''ve added COUNT rules to top of both action.Drop and action.Reject. These rules will be simply ignored by the Shorewall-shell compiler. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword