Michael Zintakis <michael.zintakis@xxxxxxxxxxxxxx> wrote: > Florian Westphal wrote: > > Michael Zintakis <michael.zintakis@xxxxxxxxxxxxxx> wrote: > >> * add a 'bthr' variable to each nfacct object, allowing a bytes 'threshold' > >> to be stored and then reported if/when traffic breaches it. > > > > Again, why is this needed? > > Why is it useful? > This is used for measuring traffic "expectancy", i.e. allows one to be able to register what amount of traffic is "expected" to pass through this accounting object. If that traffic threshold is exceeded, this is properly indicated when the accounting object is listed or any statistics for that object are being collected by the nfacct daemon. > > That traffic "expectancy" can be set/reset depending on the nature of the traffic or its source/destination etc, so it is pretty flexible. Again, there is extensive information on this in the (revised) man page if you decide to look at it. I still don't understand why this needs to be in the kernel. nfacct gives you the counters, how these are interpreted (e.g. 'higher than expected' should be entirely up to userspace). In case you need some way of reacting to excess counters, then perhaps it makes sense to change nfacct match to allow "greater/less than" matching expression instead? E.g.: -A bla -m nfacct --nfacct-name bla --nfacct-packets 1000000: -m limit --limit 1/hour -j NFLOG --nflog-prefix 'bla packet threshold' or something like that? There is something similar for the conntrack accounting (-m connbytes). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
