From: Patrick McHardy <kaber@trash.net>
To: Joakim Axelsson <gozem@gozem.se>
Cc: Massimiliano Hofer <max@nucleus.it>, netfilter-devel@lists.netfilter.org
Subject: Re: xt_quota (Was: [PATCH] priv_data 0/2)
Date: Mon, 14 Aug 2006 18:39:57 +0200 [thread overview]
Message-ID: <44E0A75D.10205@trash.net> (raw)
In-Reply-To: <20060814162451.GZ7194@kriss.csbnet.se>
Joakim Axelsson wrote:
> I however really needs some way of figuring out how much of the quota that
> remains. This is to be able to report this to our users (that receives a
> certain number of gigabytes each day). So they can see how much they have
> left (using som scripted interface to iptables). Also saving this holy
> figure (as it has become :-)) for the user if the router for some reason
> craches. This is also the reason i need negative quota figures. The users
> are allowed to "borrow" from their future quota. Doing so only under a byte
> limiting match (-m lim --limit-bytes 20k/s).
>
> In my opinion its more important to save the remaining quota, rather than
> the original. And most important to in some way be able to see how much
> is left of the quota.
>
> Perhaps this wil satisfy both of us:
>
> Somehting put out by iptables-save
> iptables -m quota --init-quota 1000 --remain-quota 123 --use-quota remain
>
> Somthing you write with iptables to create a new rule:
> iptables -m quota --init-quota 1000 (using --use-quota init explicity)
> iptables -m quota --init-quota 1000 --use-quota remain
>
> But this sure is ugly.
It should be an explicit flag to iptable-save/restore to save the
current state, because we don't do it anywhere else and therefore
it is unexpected. The limit match for example does neither show nor
save the current amount of tokens, last refill time, ...
And I'm not too much of a fan of adding such a flag because it can
only be done for a subset of all modules, hashlimit, recent etc.
all can't do it. The most extreme case would be the state match :)
With a netlink API we could actually dump all internal state (including
things like recently seen IP addresses) and accept changes from
userspace. This would allow us to get rid of the ugly proc interfaces
and covers your need as well.
prev parent reply other threads:[~2006-08-14 16:39 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-26 14:41 [PATCH] priv_data 0/2 Massimiliano Hofer
2006-07-03 18:33 ` Patrick McHardy
2006-07-03 21:05 ` Massimiliano Hofer
2006-07-03 22:58 ` Sven Anders
2006-07-04 0:20 ` Patrick McHardy
2006-07-20 22:38 ` Joakim Axelsson
2006-07-20 23:25 ` Patrick McHardy
2006-07-21 9:29 ` Joakim Axelsson
2006-07-21 9:52 ` Amin Azez
2006-07-22 13:34 ` Patrick McHardy
2006-08-14 14:17 ` Joakim Axelsson
2006-08-14 14:22 ` Patrick McHardy
2006-08-14 15:35 ` Joakim Axelsson
2006-08-14 15:43 ` Patrick McHardy
2006-08-14 16:24 ` xt_quota (Was: [PATCH] priv_data 0/2) Joakim Axelsson
2006-08-14 16:39 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44E0A75D.10205@trash.net \
--to=kaber@trash.net \
--cc=gozem@gozem.se \
--cc=max@nucleus.it \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.