Re: [PATCH 0/2] [RFC] Extended accounting infrastructure for iptables

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Fri, Dec 16, 2011 at 04:25:54PM +0100, Ferenc Wagner wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> writes:
> 
> > What you propose is hackish.
> 
> Do you consider creating a new chain with a single empty rule hackish?

No. What I consider hackish is to parse the output of iptables -Lnv,
most likely looking for some pattern that -m comment displays to
collect the counters.

> I accept that nfacct is a more transparent solution.  But I don't think
> those single rule counter chains are that bad, either.  And they are
> potentially more flexible (which may be an advantage or a disadvantage
> as well).  And they don't require adding (and maintaining) new code.
>
> > You parse text-based outputs, which is not the nice way to make
> > things.
> 
> Agreed.  But I don't see the principal difference: just as you provide
> libnetfilter_acct, someone could provide a similar library for handling
> the rule counters (maybe such a library is already available, I don't
> know). Also, I bet 98% of the uses would involve shell scripts anyway,
> using nfacct_get http-traffic or iptables -vL http-traffic for much the
> same effect. :)

Bad betting, you owe me one beer ;-).

With nfacct you will not need to make shell scripts at all for your
applications. You've got one library that provides one netlink
interface that you can use in your C programs (or whatever language
that allows to make native calls to C functions).