On Thursday 2011-12-15 21:23, Ferenc Wagner wrote: >Jan Engelhardt <jengelh@xxxxxxxxxx> writes: > >> On Wednesday 2011-12-14 15:52, Changli Gao wrote: >> >>> On Wed, Dec 14, 2011 at 9:30 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: >>> >>>> On Wed, Dec 14, 2011 at 09:12:52PM +0800, Changli Gao wrote: >>>>> >>>>> Why not use the counters of iptables instead? >>>>> >>>>> iptables-save -c >>>> >>>> If you want to obtain the sum of the counters that match some criteria, >>>> you have to iterate over the whole list of existing rules, look for >>>> matchings and update the counters. >>> >>> As I said in another thread, you can redirect the traffic to a >>> separated chain, and use the counters of that chain. >> >> UDCs (user defined chains) don't have counters, though. > >So put an empty rule into them. The ip_ plugin of Munin uses this >technique for quite some time. > >>>> Moreover, if you have a large rule-set, polling periodically >>>> iptables-save -c can be expensive. >>> >>> I got it. Thanks. Maybe we can index the entries in the kernel, and >>> add a new interface to get the counters of a special entry with a >>> entry ID. >> >> Relying on the rule number is a terrible idea (just like >> iptables-save|head -n5|tail -n1 would be). Unique persistend IDs are >> unfavorable as well; names, as used with xt_quota2/xt_NFACCT can be >> remembered much more easily. > >Rule names could serve this, couldn't they? And rules can be identified >by -m comment if batch processing is required. Then you can just as well use nfacct's name. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
