Accounting issue (was: Re: [Shorewall-users] More about Accounting)

Tom Eastep teastep at shorewall.net
Mon Aug 11 18:09:32 PDT 2003


On Mon, 2003-08-11 at 09:45, kb wrote:
> [ Sorry for cross-posting. This should be on the dev list, but I am not
> subscribed to that list -- but curious about comments. ;) ]
> 
> 
> 
> First of all: Thanks again to Tom for this great new feature and his
> help debugging. :-)
> 
> 
> While playing around a little bit with this new feature I encountered a
> minor issue:
> 
> DONE            # does not work
> DONE - - - - -  # works
> 
> (In fact, the newline followed directly after the last char of the rule,
> no unnecessary whitespace added.)
> 
> According to the docs, trailing 'any's can be omitted. [1]  This works
> at least for the last 3 of them, as I tested. Omitting all 5 optional
> values results in shorewall to start without(!) any error, not notifying
> about the created chain -- and indeed the chain does not exist.

In my test, I get this:

Deleting user chains...
Setting up Accounting...
   Warning: Invalid Accounting rule DONE
Restoring dynamic rules...

I try to give warnings in the accounting code rather than errors since
omissions in the accounting rules don't represent potential security
holes.

I suppose that the simplest thing to do is just allow the degenerate
rules "DONE" and "COUNT".
> 
>  karsten
> 
> 
> [1]  This is not mentioned in the docs, but the examples are omitting
> them if not needed.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net



More information about the Shorewall-users mailing list