On Fri, Dec 16, 2011 at 04:25:54PM +0100, Ferenc Wagner wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> writes: > > > What you propose is hackish. > > Do you consider creating a new chain with a single empty rule hackish? No. What I consider hackish is to parse the output of iptables -Lnv, most likely looking for some pattern that -m comment displays to collect the counters. > I accept that nfacct is a more transparent solution. But I don't think > those single rule counter chains are that bad, either. And they are > potentially more flexible (which may be an advantage or a disadvantage > as well). And they don't require adding (and maintaining) new code. > > > You parse text-based outputs, which is not the nice way to make > > things. > > Agreed. But I don't see the principal difference: just as you provide > libnetfilter_acct, someone could provide a similar library for handling > the rule counters (maybe such a library is already available, I don't > know). Also, I bet 98% of the uses would involve shell scripts anyway, > using nfacct_get http-traffic or iptables -vL http-traffic for much the > same effect. :) Bad betting, you owe me one beer ;-). With nfacct you will not need to make shell scripts at all for your applications. You've got one library that provides one netlink interface that you can use in your C programs (or whatever language that allows to make native calls to C functions). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
