* xt_ACCOUNT define many network by table
@ 2011-01-27 16:55 E2IA
2011-01-27 18:43 ` Bob Miller
0 siblings, 1 reply; 7+ messages in thread
From: E2IA @ 2011-01-27 16:55 UTC (permalink / raw)
To: netfilter
Hi,
all I'm using xt_ACCOUNT for accounting on my linux box.
I have two network 192.168.2.0/24 and 172.16.2.0/24. and i want to
account these 2 network via table http.
So i've made these two rules :
rule 1: iptables -t mangle -A POSTROUTING -m mark --mark 123
-j ACCOUNT --addr 192.168.2.0/24 --tname http
rule 2: iptables -t mangle -A POSTROUTING -m mark --mark 123
-j ACCOUNT --addr 172.16.2.0/24 --tname http
but when I enter the rule2 i got this error message :
[282339.158532] ACCOUNT: Table http found, but IP/netmask mismatch.
IP/netmask found: 192.168.2.0/255.255.255.0
[282339.158670] ACCOUNT: Table insert problem. Aborting
I'm wondering and I'd like to know if there is mean to define a table
for 2 deferent network.
regards.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: xt_ACCOUNT define many network by table
2011-01-27 16:55 xt_ACCOUNT define many network by table E2IA
@ 2011-01-27 18:43 ` Bob Miller
2011-01-27 22:13 ` E2IA
0 siblings, 1 reply; 7+ messages in thread
From: Bob Miller @ 2011-01-27 18:43 UTC (permalink / raw)
To: E2IA; +Cc: netfilter
On Thu, 2011-01-27 at 16:55 +0000, E2IA wrote:
> Hi,
> all I'm using xt_ACCOUNT for accounting on my linux box.
> I have two network 192.168.2.0/24 and 172.16.2.0/24. and i want to
> account these 2 network via table http.
> So i've made these two rules :
> rule 1: iptables -t mangle -A POSTROUTING -m mark --mark 123
> -j ACCOUNT --addr 192.168.2.0/24 --tname http
> rule 2: iptables -t mangle -A POSTROUTING -m mark --mark 123
> -j ACCOUNT --addr 172.16.2.0/24 --tname http
>
> but when I enter the rule2 i got this error message :
> [282339.158532] ACCOUNT: Table http found, but IP/netmask mismatch.
> IP/netmask found: 192.168.2.0/255.255.255.0
> [282339.158670] ACCOUNT: Table insert problem. Aborting
>
> I'm wondering and I'd like to know if there is mean to define a table
> for 2 deferent network.
> regards.
> --
And for the whole list:
My experimentation suggests that you would need two different tables for
two different --addr subnets. However, I think you could use something
like this:
iptables -t mangle -A POSTROUTING -s 192.168.2.0/24 -m mark --mark
123 -j ACCOUNT --addr 128.0.0.0/8 --tname http
iptables -t mangle -A POSTROUTING -d 192.168.2.0/24 -m mark --mark
123 -j ACCOUNT --addr 128.0.0.0/8 --tname http
iptables -t mangle -A POSTROUTING -s 172.16.2.0/24 -m mark --mark 123
-j ACCOUNT --addr 128.0.0.0/8 --tname http
iptables -t mangle -A POSTROUTING -d 172.16.2.0/24 -m mark --mark 123
-j ACCOUNT --addr 128.0.0.0/8 --tname http
That is pure speculation based on a very loose understanding of ACCOUNT,
here is hoping it works...
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Bob Miller
334-7117/660-5315
http://computerisms.ca
bob@computerisms.ca
Network, Internet, Server,
and Open Source Solutions
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: xt_ACCOUNT define many network by table
2011-01-27 18:43 ` Bob Miller
@ 2011-01-27 22:13 ` E2IA
2011-01-27 22:23 ` Jan Engelhardt
0 siblings, 1 reply; 7+ messages in thread
From: E2IA @ 2011-01-27 22:13 UTC (permalink / raw)
To: Bob Miller, netfilter
Thank very much but it doesn't work because the 128.0.0.0/8 doesn't
pass through my box.
Is there a subnets witch could mach any IP address that pass through my box?
regards.
2011/1/27 Bob Miller <bob@computerisms.ca>:
> On Thu, 2011-01-27 at 16:55 +0000, E2IA wrote:
>> Hi,
>> all I'm using xt_ACCOUNT for accounting on my linux box.
>> I have two network 192.168.2.0/24 and 172.16.2.0/24. and i want to
>> account these 2 network via table http.
>> So i've made these two rules :
>> rule 1: iptables -t mangle -A POSTROUTING -m mark --mark 123
>> -j ACCOUNT --addr 192.168.2.0/24 --tname http
>> rule 2: iptables -t mangle -A POSTROUTING -m mark --mark 123
>> -j ACCOUNT --addr 172.16.2.0/24 --tname http
>>
>> but when I enter the rule2 i got this error message :
>> [282339.158532] ACCOUNT: Table http found, but IP/netmask mismatch.
>> IP/netmask found: 192.168.2.0/255.255.255.0
>> [282339.158670] ACCOUNT: Table insert problem. Aborting
>>
>> I'm wondering and I'd like to know if there is mean to define a table
>> for 2 deferent network.
>> regards.
>> --
>
> And for the whole list:
> My experimentation suggests that you would need two different tables for
> two different --addr subnets. However, I think you could use something
> like this:
>
> iptables -t mangle -A POSTROUTING -s 192.168.2.0/24 -m mark --mark
> 123 -j ACCOUNT --addr 128.0.0.0/8 --tname http
> iptables -t mangle -A POSTROUTING -d 192.168.2.0/24 -m mark --mark
> 123 -j ACCOUNT --addr 128.0.0.0/8 --tname http
> iptables -t mangle -A POSTROUTING -s 172.16.2.0/24 -m mark --mark 123
> -j ACCOUNT --addr 128.0.0.0/8 --tname http
> iptables -t mangle -A POSTROUTING -d 172.16.2.0/24 -m mark --mark 123
> -j ACCOUNT --addr 128.0.0.0/8 --tname http
>
> That is pure speculation based on a very loose understanding of ACCOUNT,
> here is hoping it works...
>
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> Bob Miller
> 334-7117/660-5315
> http://computerisms.ca
> bob@computerisms.ca
> Network, Internet, Server,
> and Open Source Solutions
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: xt_ACCOUNT define many network by table
2011-01-27 22:13 ` E2IA
@ 2011-01-27 22:23 ` Jan Engelhardt
2011-01-27 22:24 ` Jan Engelhardt
0 siblings, 1 reply; 7+ messages in thread
From: Jan Engelhardt @ 2011-01-27 22:23 UTC (permalink / raw)
To: E2IA; +Cc: Bob Miller, netfilter
On Thursday 2011-01-27 23:13, E2IA wrote:
>Thank very much but it doesn't work because the 128.0.0.0/8 doesn't
>pass through my box.
Networks don't pass. Packets do. And from the looks of it, of course
you _will_ get packets from 128.0.0.0/8.
Simply because 192.168.2.0/24 and 172.16.2.0/24 is included in
128.0.0.0/8.
>>> rule 1: iptables -t mangle -A POSTROUTING -m mark --mark 123
>>> -j ACCOUNT --addr 192.168.2.0/24 --tname http
>>> rule 2: iptables -t mangle -A POSTROUTING -m mark --mark 123
>>> -j ACCOUNT --addr 172.16.2.0/24 --tname http
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: xt_ACCOUNT define many network by table
2011-01-27 22:23 ` Jan Engelhardt
@ 2011-01-27 22:24 ` Jan Engelhardt
2011-01-27 23:32 ` E2IA
2011-01-28 3:38 ` Bob Miller
0 siblings, 2 replies; 7+ messages in thread
From: Jan Engelhardt @ 2011-01-27 22:24 UTC (permalink / raw)
To: E2IA; +Cc: Bob Miller, netfilter
On Thursday 2011-01-27 23:23, Jan Engelhardt wrote:
>On Thursday 2011-01-27 23:13, E2IA wrote:
>
>>Thank very much but it doesn't work because the 128.0.0.0/8 doesn't
>>pass through my box.
>
>Networks don't pass. Packets do. And from the looks of it, of course
>you _will_ get packets from 128.0.0.0/8.
>
>Simply because 192.168.2.0/24 and 172.16.2.0/24 is included in
>128.0.0.0/8.
Er, not for 128.0.0.0/8. That should have been 128.0.0.0/1.
>>>> rule 1: iptables -t mangle -A POSTROUTING -m mark --mark 123
>>>> -j ACCOUNT --addr 192.168.2.0/24 --tname http
>>>> rule 2: iptables -t mangle -A POSTROUTING -m mark --mark 123
>>>> -j ACCOUNT --addr 172.16.2.0/24 --tname http
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: xt_ACCOUNT define many network by table
2011-01-27 22:24 ` Jan Engelhardt
@ 2011-01-27 23:32 ` E2IA
2011-01-28 3:38 ` Bob Miller
1 sibling, 0 replies; 7+ messages in thread
From: E2IA @ 2011-01-27 23:32 UTC (permalink / raw)
To: Jan Engelhardt, netfilter
Right I'm about to make one table per subnet.
And I'd like to know if there is a limitation for table number.
regards.
2011/1/27 Jan Engelhardt <jengelh@medozas.de>:
> On Thursday 2011-01-27 23:23, Jan Engelhardt wrote:
>
>>On Thursday 2011-01-27 23:13, E2IA wrote:
>>
>>>Thank very much but it doesn't work because the 128.0.0.0/8 doesn't
>>>pass through my box.
>>
>>Networks don't pass. Packets do. And from the looks of it, of course
>>you _will_ get packets from 128.0.0.0/8.
>>
>>Simply because 192.168.2.0/24 and 172.16.2.0/24 is included in
>>128.0.0.0/8.
>
>
> Er, not for 128.0.0.0/8. That should have been 128.0.0.0/1.
>
>
>>>>> rule 1: iptables -t mangle -A POSTROUTING -m mark --mark 123
>>>>> -j ACCOUNT --addr 192.168.2.0/24 --tname http
>>>>> rule 2: iptables -t mangle -A POSTROUTING -m mark --mark 123
>>>>> -j ACCOUNT --addr 172.16.2.0/24 --tname http
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: xt_ACCOUNT define many network by table
2011-01-27 22:24 ` Jan Engelhardt
2011-01-27 23:32 ` E2IA
@ 2011-01-28 3:38 ` Bob Miller
1 sibling, 0 replies; 7+ messages in thread
From: Bob Miller @ 2011-01-28 3:38 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: E2IA, netfilter
>
>
> Er, not for 128.0.0.0/8. That should have been 128.0.0.0/1.
>
>
Good catch, my bad.
Bob Miller
334-7117/660-5315
http://computerisms.ca
bob@computerisms.ca
Network, Internet, Server,
and Open Source Solutions
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-01-28 3:38 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-01-27 16:55 xt_ACCOUNT define many network by table E2IA
2011-01-27 18:43 ` Bob Miller
2011-01-27 22:13 ` E2IA
2011-01-27 22:23 ` Jan Engelhardt
2011-01-27 22:24 ` Jan Engelhardt
2011-01-27 23:32 ` E2IA
2011-01-28 3:38 ` Bob Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.