Am 14.07.2010 18:34, schrieb Pablo Neira Ayuso: > Hi Luciano, > > On 14/07/10 14:22, Luciano Coelho wrote: >> On Wed, 2010-07-14 at 13:48 +0200, ext Patrick McHardy wrote: >>> If you're using connection tracking, you can use conntrack marks >>> to avoid sending more than a single message: >>> >>> iptables ... -m connmark --mark 0x1/0x1 -j RETURN >>> iptables ... -j NFLOG ... >>> iptables ... -j CONNMARK --set-mark 0x1/0x1 >> >> Cool, thanks. >> >> It seems that there are lots of possibilities to get this to work, but >> this is starting to get quite complex. I would still prefer having the >> NFNOTIF module included, since we would be able to do what we want in a >> very simple way. It's also probably much more efficient that using >> several rules, which would increase the CPU usage considerably (in our >> device we are already reaching the limit of a reasonable CPU resource >> usage with high throughput WLAN connections). Its hard to believe that a connmark match filtering out notifications would require more CPU time than doing the same in a new target module. >> While I agree that it is possible to achieve the NFNOTIF functionality >> with existing modules, I still think there is a "niche" for such module, >> because it is very simple, has a very clear purpose and would make the >> ruleset simpler and more efficient. >> >> Does this make any sense? > > I don't think that the NFNOTIF infrastructure fulfill the policy for > inclusion. It seems to me like something quite specific for your needs. > It is simple, yes, but we already have this feature into the kernel. I > don't think that this will reduce CPU usage considerably with regards to > the NFLOG way. > > I would still prefer adding the once-per-matching notification feature > to NFLOG than these extra lines in the kernel, Patrick? I agree with Pablo. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
