On Wednesday 2011-12-14 15:52, Changli Gao wrote: >On Wed, Dec 14, 2011 at 9:30 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: >> On Wed, Dec 14, 2011 at 09:12:52PM +0800, Changli Gao wrote: >>> >>> Why not use the counters of iptables instead? >>> >>> iptables-save -c >> >> If you want to obtain the sum of the counters that match some criteria, >> you have to iterate over the whole list of existing rules, look for >> matchings and update the counters. > >As I said in another thread, you can redirect the traffic to a >separated chain, and use the counters of that chain. UDCs (user defined chains) don't have counters, though. >> Moreover, if you have a large rule-set, polling periodically >> iptables-save -c can be expensive. > >I got it. Thanks. Maybe we can index the entries in the kernel, and >add a new interface to get the counters of a special entry with a >entry ID. Relying on the rule number is a terrible idea (just like iptables-save|head -n5|tail -n1 would be). Unique persistend IDs are unfavorable as well; names, as used with xt_quota2/xt_NFACCT can be remembered much more easily. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
