On Tue, 17 Mar 2009, Patrick McHardy wrote:
Krzysztof Oledzki wrote:
On Tue, 17 Mar 2009, Patrick McHardy wrote:
Krzysztof Oledzki wrote:
On Tue, 17 Mar 2009, Patrick McHardy wrote:
Krzysztof Oledzki wrote:
I'd say it has been long enough, but Jan raised a valid point.
We can't use the Kconfig selection anymore once we remove that
option, so we need a replacement to automatically enable counters.
So loading connbytes should enable accounting automatically. Fine, it
is doable. But how we want to handle it WRT to NS? Should it be enabled
in all NameSpaces or...?
Just the ones it is actually used in I'd say (i.e. in the checkentry
function for the current namespace).
OK, but AFAIK modules are not namespace dependly, so why only in actually
used one? This bugs me a little.
But using them is namespace dependant.
How?
The "connbytes" rules exist only in a specific namespace.
True, but it migh be too late to enable accounting at that point. What if
there are already acitive flows?
Anyway, how about this:
sysctl net.netfilter.nf_conntrack_acct=0 -> disable accounting in this NS
sysctl net.netfilter.nf_conntrack_acct=1 -> enable accounting in this NS
sysctl net.netfilter.nf_conntrack_acct=-1 -> (default) use global value in
this NS
Global value: by default 0 if connbytes is not loaded, 1 if it is.
Global value could be set with nf_conntrack.acct=0/1 (kernel) acct=0/1
(module) or sysctl (??? how global, NS independent sysctls are named???).
Doubts:
- should we set global value to 0 when unloading connbytes?
Why do anything global at all? Its not needed unless connbytes is used
(or something in userspace, which we can't detect), and that affects
only a single namespace.
To enable it before the first packet?
Best regards,
Krzysztof Olędzki
