On Thu, Dec 15, 2011 at 09:23:34PM +0100, Ferenc Wagner wrote: > Jan Engelhardt <jengelh@xxxxxxxxxx> writes: > > > On Wednesday 2011-12-14 15:52, Changli Gao wrote: > > > >> On Wed, Dec 14, 2011 at 9:30 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > >> > >>> On Wed, Dec 14, 2011 at 09:12:52PM +0800, Changli Gao wrote: > >>>> > >>>> Why not use the counters of iptables instead? > >>>> > >>>> iptables-save -c > >>> > >>> If you want to obtain the sum of the counters that match some criteria, > >>> you have to iterate over the whole list of existing rules, look for > >>> matchings and update the counters. > >> > >> As I said in another thread, you can redirect the traffic to a > >> separated chain, and use the counters of that chain. > > > > UDCs (user defined chains) don't have counters, though. > > So put an empty rule into them. The ip_ plugin of Munin uses this > technique for quite some time. > > >>> Moreover, if you have a large rule-set, polling periodically > >>> iptables-save -c can be expensive. > >> > >> I got it. Thanks. Maybe we can index the entries in the kernel, and > >> add a new interface to get the counters of a special entry with a > >> entry ID. > > > > Relying on the rule number is a terrible idea (just like > > iptables-save|head -n5|tail -n1 would be). Unique persistend IDs are > > unfavorable as well; names, as used with xt_quota2/xt_NFACCT can be > > remembered much more easily. > > Rule names could serve this, couldn't they? And rules can be identified > by -m comment if batch processing is required. What you propose is hackish. You parse text-based outputs, which is not the nice way to make things. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
