libnetfilter_acct now available at git.netfilter.org

libnetfilter_acct now available at git.netfilter.org

[Pablo Neira Ayuso]

Hi!

JFYI: I just uploaded libnetfilter_acct to git.netfilter.org.

http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_acct.git;a=summary

This library provides the programming interface (API) to the Netfilter
extended accounting infrastructure. It includes the documentation in
doxygen format and a couple of examples.

The first client of this library will be the `nfacct' tool.

I'm thinking about including this tool into the iptables tree, instead
of distributing it separately, but I may change my mind. Let me know
if you have any preference.

The initial 1.0.0 release is scheduled by when Linux kernel 3.3 will
be released (I insist, this is not wrong, Linux kernel 3.3, not 3.2).

I'll find some spare time to set up the libnetfilter_acct space in
www.netfilter.org soon.

Have fun with it!

Re: libnetfilter_acct now available at git.netfilter.org

[Jan Engelhardt]

On Thursday 2011-12-29 19:47, Pablo Neira Ayuso wrote:

>Hi!
>
>JFYI: I just uploaded libnetfilter_acct to git.netfilter.org.
>
>http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_acct.git;a=summary
>
>This library provides the programming interface (API) to the Netfilter
>extended accounting infrastructure. It includes the documentation in
>doxygen format and a couple of examples.
>
>The first client of this library will be the `nfacct' tool.
>
>I'm thinking about including this tool into the iptables tree, instead
>of distributing it separately, but I may change my mind. Let me know
>if you have any preference.

It would pose - just formally - the question how many more tools we 
intend to ship with iptables. For example, try to find an answer as to 
why conntrack-tools and ipset are separate instead of being included in 
iptables.

I am not particular for or against, since there is already e.g. nfnl_osf 
(and libipq...) in the iptables tree, for a lack of a better place.

Re: libnetfilter_acct now available at git.netfilter.org

[Pablo Neira Ayuso]

On Thu, Dec 29, 2011 at 10:23:58PM +0100, Jan Engelhardt wrote:
> On Thursday 2011-12-29 19:47, Pablo Neira Ayuso wrote:
> 
> >Hi!
> >
> >JFYI: I just uploaded libnetfilter_acct to git.netfilter.org.
> >
> >http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_acct.git;a=summary
> >
> >This library provides the programming interface (API) to the Netfilter
> >extended accounting infrastructure. It includes the documentation in
> >doxygen format and a couple of examples.
> >
> >The first client of this library will be the `nfacct' tool.
> >
> >I'm thinking about including this tool into the iptables tree, instead
> >of distributing it separately, but I may change my mind. Let me know
> >if you have any preference.
> 
> It would pose - just formally - the question how many more tools we 
> intend to ship with iptables. For example, try to find an answer as to 
> why conntrack-tools and ipset are separate instead of being included in 
> iptables.

Good question.

>From what I see (because the policy is not clear to me either), I can
extract that it's a matter of how big (in terms of LOC) the project is
and how many changes you expect from that code.

> I am not particular for or against, since there is already e.g. nfnl_osf 
> (and libipq...) in the iptables tree, for a lack of a better place.

QUEUE should be scheduled for removal IMO, I'd take a patch for
that. People already had time the time to migrate to NFQUEUE.

Unless someone comes with some strong argument to keep it in the tree.

For nfnl_osf, we can move it to one standalone tool.

Probably it's better to avoid polluting iptables tree with other
projects and provide standalone trees for everyone.

Re: libnetfilter_acct now available at git.netfilter.org

[Jan Engelhardt]

On Friday 2011-12-30 01:05, Pablo Neira Ayuso wrote:
>>>I'm thinking about including this tool into the iptables tree, instead
>>>of distributing it separately, but I may change my mind. Let me know
>>>if you have any preference.
>> 
>>It would pose - just formally - the question how many more tools we 
>>intend to ship with iptables. For example, try to find an answer as to 
>>why conntrack-tools and ipset are separate instead of being included in 
>>iptables.
>
>Good question.
>
>From what I see (because the policy is not clear to me either), I can
>extract that it's a matter of how big (in terms of LOC) the project is
>and how many changes you expect from that code.

Well, do you expect nfacct to grow to proportions similar to ipset or
conntrack-tools?

As for nfnl_osf, it certainly has not reached that threshold (and
is unlikely to do so in the near future), and therefore I move to keep it.

>For nfnl_osf, we can move it to one standalone tool.
>Probably it's better to avoid polluting iptables tree with other
>projects and provide standalone trees for everyone.

Re: libnetfilter_acct now available at git.netfilter.org

[Pablo Neira Ayuso]

On Fri, Dec 30, 2011 at 02:09:11AM +0100, Jan Engelhardt wrote:
> Well, do you expect nfacct to grow to proportions similar to ipset or
> conntrack-tools?

No way ;-)

> As for nfnl_osf, it certainly has not reached that threshold (and
> is unlikely to do so in the near future), and therefore I move to keep it.

OK, let's keep it in the iptables tree then.