On Wed, Dec 14, 2011 at 07:30:29PM +0100, Jozsef Kadlecsik wrote: > On Wed, 14 Dec 2011, Pablo Neira Ayuso wrote: > > > On Wed, Dec 14, 2011 at 02:43:40PM +0100, Jan Engelhardt wrote: > > > On Wednesday 2011-12-14 12:00, pablo@xxxxxxxxxxxxx wrote: > > > > > > >Then, you can use one of this accounting objects in several iptables > > > >rules using the new NFACCT target (which comes in a follow-up patch): > > > > > > > > # iptables -I INPUT -p tcp --sport 80 -j NFACCT --nfacct-name http-traffic > > > > # iptables -I OUTPUT -p tcp --dport 80 -j NFACCT --nfacct-name http-traffic > > > > > > > >The idea is simple: if one packet matches the rule, the NFACCT target > > > >updates the counters. > > > > > > This smells a lot like -m quota2 --grow, except that yours uses > > > netlink instead of procfs and can only update the counters. > > > > > > I suggest to turn -j NFACCT into -m nfacct instead, so that we can add > > > counting-down mode and matching capabilities, so as to replace > > > xt_quota*. > > > > This makes sense. > > > > My only concern is that -m nfacct will not really match anything (not > > by default at least). > > > > But with -m nfacct, we can use it in one single multi-match rule, which > > comes in handy. > > I second that turning it into a "match" makes it more flexible. I'll make it. Probably we can add some --nfacct NAME as shortcut for -m nfacct --nfacct-name NAME, to hide that this is a match? Hm, probably too nasty. I have concerns about the fact that this wil not really match anything (although it is going to (ab)use the match infrastructure. This makes me think that we probably need that multitarget (for those that just return to continue with the rule traversal in the chain). Just wild thoughts. The quick way is to make this a match of course. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
