From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Jan Engelhardt <jengelh@medozas.de>,
netfilter-devel@vger.kernel.org, kaber@trash.net,
thomas.jarosch@intra2net.com
Subject: Re: [PATCH 1/2] netfilter: add extended accounting infrastructure over nfnetlink
Date: Thu, 15 Dec 2011 13:26:02 +0100 [thread overview]
Message-ID: <20111215122602.GB14246@1984> (raw)
In-Reply-To: <alpine.DEB.2.00.1112141926580.7277@blackhole.kfki.hu>
On Wed, Dec 14, 2011 at 07:30:29PM +0100, Jozsef Kadlecsik wrote:
> On Wed, 14 Dec 2011, Pablo Neira Ayuso wrote:
>
> > On Wed, Dec 14, 2011 at 02:43:40PM +0100, Jan Engelhardt wrote:
> > > On Wednesday 2011-12-14 12:00, pablo@netfilter.org wrote:
> > >
> > > >Then, you can use one of this accounting objects in several iptables
> > > >rules using the new NFACCT target (which comes in a follow-up patch):
> > > >
> > > > # iptables -I INPUT -p tcp --sport 80 -j NFACCT --nfacct-name http-traffic
> > > > # iptables -I OUTPUT -p tcp --dport 80 -j NFACCT --nfacct-name http-traffic
> > > >
> > > >The idea is simple: if one packet matches the rule, the NFACCT target
> > > >updates the counters.
> > >
> > > This smells a lot like -m quota2 --grow, except that yours uses
> > > netlink instead of procfs and can only update the counters.
> > >
> > > I suggest to turn -j NFACCT into -m nfacct instead, so that we can add
> > > counting-down mode and matching capabilities, so as to replace
> > > xt_quota*.
> >
> > This makes sense.
> >
> > My only concern is that -m nfacct will not really match anything (not
> > by default at least).
> >
> > But with -m nfacct, we can use it in one single multi-match rule, which
> > comes in handy.
>
> I second that turning it into a "match" makes it more flexible.
I'll make it.
Probably we can add some --nfacct NAME as shortcut for -m nfacct
--nfacct-name NAME, to hide that this is a match? Hm, probably too
nasty.
I have concerns about the fact that this wil not really match
anything (although it is going to (ab)use the match infrastructure.
This makes me think that we probably need that multitarget (for those
that just return to continue with the rule traversal in the chain).
Just wild thoughts. The quick way is to make this a match of course.
next prev parent reply other threads:[~2011-12-15 12:26 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-14 11:00 [PATCH 0/2] [RFC] Extended accounting infrastructure for iptables pablo
2011-12-14 11:00 ` [PATCH 1/2] netfilter: add extended accounting infrastructure over nfnetlink pablo
2011-12-14 11:16 ` Eric Dumazet
2011-12-14 12:41 ` Pablo Neira Ayuso
2011-12-14 13:18 ` Eric Dumazet
2011-12-14 13:45 ` Eric Dumazet
2011-12-18 0:21 ` Pablo Neira Ayuso
2011-12-14 11:23 ` Patrick McHardy
2011-12-14 13:18 ` Pablo Neira Ayuso
2011-12-14 16:31 ` Patrick McHardy
2011-12-15 12:20 ` Pablo Neira Ayuso
2011-12-14 13:23 ` Changli Gao
2011-12-14 13:43 ` Jan Engelhardt
2011-12-14 16:50 ` Pablo Neira Ayuso
2011-12-14 18:30 ` Jozsef Kadlecsik
2011-12-14 23:06 ` Maciej Żenczykowski
2011-12-15 12:26 ` Pablo Neira Ayuso [this message]
2011-12-15 12:32 ` Jan Engelhardt
2011-12-14 13:49 ` Anand Raj Manickam
2011-12-14 13:54 ` Eric Dumazet
2011-12-14 11:00 ` [PATCH 2/2] netfilter: xtables: add NFACCT target to support extended accounting pablo
2011-12-14 13:12 ` [PATCH 0/2] [RFC] Extended accounting infrastructure for iptables Changli Gao
2011-12-14 13:30 ` Pablo Neira Ayuso
2011-12-14 13:37 ` Anand Raj Manickam
2011-12-14 14:52 ` Changli Gao
2011-12-14 15:59 ` Jan Engelhardt
2011-12-15 20:23 ` Ferenc Wagner
2011-12-15 21:01 ` Jan Engelhardt
2011-12-16 15:25 ` Ferenc Wagner
2011-12-17 18:05 ` Pablo Neira Ayuso
2011-12-16 13:08 ` Pablo Neira Ayuso
2011-12-14 19:29 ` Pete Holland
2011-12-15 13:22 ` Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2011-12-23 13:42 [PATCH 0/2] nfacct infrastructure (version 2) pablo
2011-12-23 13:42 ` [PATCH 1/2] netfilter: add extended accounting infrastructure over nfnetlink pablo
2011-12-23 14:10 ` Eric Dumazet
2011-12-23 14:12 ` Eric Dumazet
2011-12-24 0:24 ` Pablo Neira Ayuso
2011-12-24 0:23 ` Pablo Neira Ayuso
2011-12-23 14:54 ` Changli Gao
2011-12-24 0:55 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111215122602.GB14246@1984 \
--to=pablo@netfilter.org \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=thomas.jarosch@intra2net.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).