On Wed, Dec 14, 2011 at 9:30 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Wed, Dec 14, 2011 at 09:12:52PM +0800, Changli Gao wrote: >> >> Why not use the counters of iptables instead? >> >> iptables-save -c > > If you want to obtain the sum of the counters that match some criteria, > you have to iterate over the whole list of existing rules, look for > matchings and update the counters. As I said in another thread, you can redirect the traffic to a separated chain, and use the counters of that chain. > > Moreover, if you have a large rule-set, polling periodically > iptables-save -c can be expensive. I got it. Thanks. Maybe we can index the entries in the kernel, and add a new interface to get the counters of a special entry with a entry ID. -- Regards, Changli Gao(xiaosuo@xxxxxxxxx) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
