On Wed, Dec 14, 2011 at 02:43:40PM +0100, Jan Engelhardt wrote: > On Wednesday 2011-12-14 12:00, pablo@xxxxxxxxxxxxx wrote: > > >Then, you can use one of this accounting objects in several iptables > >rules using the new NFACCT target (which comes in a follow-up patch): > > > > # iptables -I INPUT -p tcp --sport 80 -j NFACCT --nfacct-name http-traffic > > # iptables -I OUTPUT -p tcp --dport 80 -j NFACCT --nfacct-name http-traffic > > > >The idea is simple: if one packet matches the rule, the NFACCT target > >updates the counters. > > This smells a lot like -m quota2 --grow, except that yours uses > netlink instead of procfs and can only update the counters. > > I suggest to turn -j NFACCT into -m nfacct instead, so that we can add > counting-down mode and matching capabilities, so as to replace > xt_quota*. This makes sense. My only concern is that -m nfacct will not really match anything (not by default at least). But with -m nfacct, we can use it in one single multi-match rule, which comes in handy. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
