From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: Accounting objects support in nft Date: Mon, 12 Jan 2015 13:35:16 +0100 Message-ID: <20150112123516.GA4546@salvia> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: ana@soleta.eu, Netfilter Development Mailing list , kaber@trash.net To: Arturo Borrero Gonzalez Return-path: Received: from mail.us.es ([193.147.175.20]:38727 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750841AbbALMc0 (ORCPT ); Mon, 12 Jan 2015 07:32:26 -0500 Content-Disposition: inline In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: On Mon, Jan 12, 2015 at 12:48:35PM +0100, Arturo Borrero Gonzalez wrote: > On 12 January 2015 at 11:55, wrote: > > > > table ip filter { > > acct http-traffic { pkts 779 bytes 99495} > > acct https-traffic { pkts 189 bytes 37824} > > > > chain output { > > type filter hook output priority 0; > > tcp dport http acct http-traffic > > tcp dport https acct https-traffic > > } > > } > > > > Interesting, Ana! > > I understand that acct objects are bounded to a table/family. > Why not make them globals? So we could increment same counters from > different families/tables. Indeed. The existing binding between acct and tables is superfluous. With sets, we need that to check for loops in verdict maps. So counters can become also top-level identifier as it happens with tables, ie. counters { http-traffic { pkts 779 bytes 99495} acct https-traffic { pkts 189 bytes 37824} } table ip filter { chain output { type filter hook output priority 0; tcp dport http counter http-traffic tcp dport https counter https-traffic } } Patrick, any comment on that?