Le jeudi 15 juin 2006 à 15:11 +0200, Tore Anderson a écrit : [..] > * Jérôme Warnier > > > I can understand, I thought about this but I felt like the rules > > needed are not intrusive at all: > > iptables -A INPUT -d 192.168.0.1 > > iptables -A OUTPUT -s 192.168.0.1 > > So if you're DROP-ing traffic above those rules (which is very likely, > especially in the INPUT chain), the rules won't hit, and the graph > will be wrong. If you've used -I INPUT 1 instead you'd shuffle around > all other rules in the chain, which is even more undesireable. > > Also, the second the administrator reloads his ruleset the rules will > be lost and the graphs stop working. > > > Maybe the script should just verify if such accounting rules are > > present in chains INPUT and OUTPUT first. Then it could work. > > It does, but because it isn't run as root by default it doesn't work > correctly. I've made a new bug about this. > > > Another option: base ip_ on something else than iptables (maybe /proc > > or/sys?). > > I don't think the information is available anywhere else, at least not > where it's practical to access it. I'll be happy to be proven wrong, > though. > > > - provide a patch for Debian not to advertise a concerning warning > > message when using if_ (because here, my bug was actually the error > > message) > > and/or: > > - talk about this issue with upstream (forward upstream). > > I agree, and I'll probably commit a fix to the upstream repository > myself when I get around to it. I've reopened the bug, and clarified > what it's about.
Many thanks, it was a pleasure to bug you about this ;-) > Thanks -- Jérôme Warnier <[EMAIL PROTECTED]> BeezNest
