Krzysztof Oledzki wrote:
On Tue, 17 Mar 2009, Patrick McHardy wrote:
Krzysztof Oledzki wrote:
On Tue, 17 Mar 2009, Patrick McHardy wrote:
Krzysztof Oledzki wrote:
I'd say it has been long enough, but Jan raised a valid point.
We can't use the Kconfig selection anymore once we remove that
option, so we need a replacement to automatically enable counters.
So loading connbytes should enable accounting automatically. Fine,
it is doable. But how we want to handle it WRT to NS? Should it be
enabled in all NameSpaces or...?
Just the ones it is actually used in I'd say (i.e. in the checkentry
function for the current namespace).
OK, but AFAIK modules are not namespace dependly, so why only in
actually used one? This bugs me a little.
But using them is namespace dependant.
How?
The "connbytes" rules exist only in a specific namespace.
Anyway, how about this:
sysctl net.netfilter.nf_conntrack_acct=0 -> disable accounting in this NS
sysctl net.netfilter.nf_conntrack_acct=1 -> enable accounting in this NS
sysctl net.netfilter.nf_conntrack_acct=-1 -> (default) use global value
in this NS
Global value: by default 0 if connbytes is not loaded, 1 if it is.
Global value could be set with nf_conntrack.acct=0/1 (kernel) acct=0/1
(module) or sysctl (??? how global, NS independent sysctls are named???).
Doubts:
- should we set global value to 0 when unloading connbytes?
Why do anything global at all? Its not needed unless connbytes is used
(or something in userspace, which we can't detect), and that affects
only a single namespace.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html