From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: netfilter-devel@vger.kernel.org, netfilter@vger.kernel.org,
John Stultz <john.stultz@linaro.org>, JP Abgrall <jpa@google.com>
Subject: Re: [PATCH 1/1] netfilter: xtables: add quota support to nfacct
Date: Mon, 30 Dec 2013 18:36:55 +0100 [thread overview]
Message-ID: <20131230173655.GA21288@localhost> (raw)
In-Reply-To: <CANLsYkx32_sUzZvy697Vhyu7cBUaoYtB__FNTvdhwWDguLmT2Q@mail.gmail.com>
On Sun, Dec 29, 2013 at 02:53:15PM -0700, Mathieu Poirier wrote:
> On 21 December 2013 01:55, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Fri, Dec 20, 2013 at 01:34:00PM -0700, Mathieu Poirier wrote:
> >> On 19 December 2013 12:43, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > [...]
> >> > Thinking again on the event delivery, I think it's better if the
> >> > nfacct match using the new --quota does not deliver the event itself.
> >> > You can use libnetfilter_queue instead, eg.
> >> >
> >> > iptables -I INPUT -p icmp \
> >> > -m nfacct icmp --quota 12345 --mode bytes --match-once \
> >> > -j NFLOG --nflog-prefix "icmp: " --nflog-group 34
> >> >
>
> Thinking further on this...
>
> Unless I'm missing something the above only specifies when to log
> quota transgression, hence introducing the need to write yet another
> rule do explicitly deal with the packet. My previous solution logged
> quota excess _and_ dealt with the packet.
What kind of "deal with the packet" you need to make in case you
reach the quota? Please, elaborate your use case with hypothetical
(iptables) examples so I can help better.
> Using ' nfulnl_log_packet()' (if even possible) would seem hackish to me.
That don't like that choice either.
next prev parent reply other threads:[~2013-12-30 17:37 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-11 16:53 [PATCH 0/1] Add quota capabilities to nfacct mathieu.poirier
2013-12-11 16:53 ` [PATCH 1/1] netfilter: xtables: add quota support " mathieu.poirier
2013-12-18 9:53 ` Pablo Neira Ayuso
[not found] ` <CANLsYkxMzdFCpJ3456PPd8KsEPi-U70kJDqGv8c3BhCsKY8RiQ@mail.gmail.com>
2013-12-19 19:43 ` Pablo Neira Ayuso
2013-12-20 20:34 ` Mathieu Poirier
2013-12-21 8:55 ` Pablo Neira Ayuso
2013-12-29 21:53 ` Mathieu Poirier
2013-12-30 17:36 ` Pablo Neira Ayuso [this message]
2013-12-30 17:56 ` Mathieu Poirier
2013-12-30 21:46 ` Florian Westphal
2013-12-30 22:17 ` Mathieu Poirier
2013-12-30 23:14 ` Mathieu Poirier
2013-12-30 23:31 ` Florian Westphal
2014-01-03 15:54 ` Pablo Neira Ayuso
2014-01-03 20:38 ` Mathieu Poirier
2014-01-04 2:32 ` Pablo Neira Ayuso
[not found] ` <CANLsYkw4UhBGpUcvO9qqqvgz8j00=E6zojMxxXCsPQhStQtGXg@mail.gmail.com>
2014-01-13 21:50 ` Mathieu Poirier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131230173655.GA21288@localhost \
--to=pablo@netfilter.org \
--cc=john.stultz@linaro.org \
--cc=jpa@google.com \
--cc=mathieu.poirier@linaro.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).