Accounting issue (was: Re: [Shorewall-users] More about Accounting)

Tom Eastep teastep at
Mon Aug 11 18:09:32 PDT 2003

On Mon, 2003-08-11 at 09:45, kb wrote:
> [ Sorry for cross-posting. This should be on the dev list, but I am not
> subscribed to that list -- but curious about comments. ;) ]
> First of all: Thanks again to Tom for this great new feature and his
> help debugging. :-)
> While playing around a little bit with this new feature I encountered a
> minor issue:
> DONE            # does not work
> DONE - - - - -  # works
> (In fact, the newline followed directly after the last char of the rule,
> no unnecessary whitespace added.)
> According to the docs, trailing 'any's can be omitted. [1]  This works
> at least for the last 3 of them, as I tested. Omitting all 5 optional
> values results in shorewall to start without(!) any error, not notifying
> about the created chain -- and indeed the chain does not exist.

In my test, I get this:

Deleting user chains...
Setting up Accounting...
   Warning: Invalid Accounting rule DONE
Restoring dynamic rules...

I try to give warnings in the accounting code rather than errors since
omissions in the accounting rules don't represent potential security

I suppose that the simplest thing to do is just allow the degenerate
rules "DONE" and "COUNT".
>  karsten
> [1]  This is not mentioned in the docs, but the examples are omitting
> them if not needed.

Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \
Washington USA  \ teastep at

More information about the Shorewall-users mailing list