[Shorewall-devel] Re: Accounting issue (was: Re: [Shorewall-users] More about Accounting)

[kb <kb...@bl...>]

> > According to the docs, trailing 'any's can be omitted. [1]  This works
> > at least for the last 3 of them, as I tested. Omitting all 5 optional
> > values results in shorewall to start without(!) any error, not notifying
> > about the created chain -- and indeed the chain does not exist.
> 
> In my test, I get this:
> 
> Deleting user chains...
> Setting up Accounting...
>    Warning: Invalid Accounting rule DONE
> Restoring dynamic rules...

Strange, here is my output:

Deleting user chains...
Setting up Accounting...
Creating Interface Chains...

# shorewall show accounting
Shorewall-1.4.6-20030809 Chain accounting at monkey - Mon Aug 11
19:40:09 CEST 2003
Counters reset Mon Aug 11 19:38:39 CEST 2003
iptables: Table does not exist (do you need to insmod?)


Again and for completeness the versions:

Shorewall version is the latest snapshot 1.4.6-20030809, 'firewall'
script is 1.294 from CVS, 'accounting' file is 1.2 from CVS.

And the accounting file *is* in Unix format and has a famous last
line... ;)


The rule "DONE -" works as expected.


> I try to give warnings in the accounting code rather than errors since
> omissions in the accounting rules don't represent potential security
> holes.

Sure, understand that. Apart from not seeing any warning here...


> I suppose that the simplest thing to do is just allow the degenerate
> rules "DONE" and "COUNT".

Yep, quick-n-dirty. What about "rulename:DONE"? It shows the same issue
as the default chain.

 karsten


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}