On Wed, 14 Dec 2011, Pablo Neira Ayuso wrote: > On Wed, Dec 14, 2011 at 02:43:40PM +0100, Jan Engelhardt wrote: > > On Wednesday 2011-12-14 12:00, pablo@xxxxxxxxxxxxx wrote: > > > > >Then, you can use one of this accounting objects in several iptables > > >rules using the new NFACCT target (which comes in a follow-up patch): > > > > > > # iptables -I INPUT -p tcp --sport 80 -j NFACCT --nfacct-name http-traffic > > > # iptables -I OUTPUT -p tcp --dport 80 -j NFACCT --nfacct-name http-traffic > > > > > >The idea is simple: if one packet matches the rule, the NFACCT target > > >updates the counters. > > > > This smells a lot like -m quota2 --grow, except that yours uses > > netlink instead of procfs and can only update the counters. > > > > I suggest to turn -j NFACCT into -m nfacct instead, so that we can add > > counting-down mode and matching capabilities, so as to replace > > xt_quota*. > > This makes sense. > > My only concern is that -m nfacct will not really match anything (not > by default at least). > > But with -m nfacct, we can use it in one single multi-match rule, which > comes in handy. I second that turning it into a "match" makes it more flexible. Best regards, Joysef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
