Re: [PATCH 1/1] netfilter: xtables: add quota support to nfacct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Dec 29, 2013 at 02:53:15PM -0700, Mathieu Poirier wrote:
> On 21 December 2013 01:55, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > On Fri, Dec 20, 2013 at 01:34:00PM -0700, Mathieu Poirier wrote:
> >> On 19 December 2013 12:43, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> > [...]
> >> > Thinking again on the event delivery, I think it's better if the
> >> > nfacct match using the new --quota does not deliver the event itself.
> >> > You can use libnetfilter_queue instead, eg.
> >> >
> >> >         iptables -I INPUT -p icmp \
> >> >                  -m nfacct icmp --quota 12345 --mode bytes --match-once \
> >> >                  -j NFLOG --nflog-prefix "icmp: " --nflog-group 34
> >> >
> 
> Thinking further on this...
> 
> Unless I'm missing something the above only specifies when to log
> quota transgression, hence introducing the need to write yet another
> rule do explicitly deal with the packet.  My previous solution logged
> quota excess _and_ dealt with the packet.

What kind of "deal with the packet" you need to make in case you
reach the quota? Please, elaborate your use case with hypothetical
(iptables) examples so I can help better.

> Using ' nfulnl_log_packet()' (if even possible) would seem hackish to me.

That don't like that choice either.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux