I followed the same way as in net/netfilter/nf_conntrack_netlink.c, I put filter code under ifdef. Seems in case of not NFACCT_FILTER attribute support at kernel side, client could not detect it. Due there is no way to identify version number of the serialized message, solution for counters is not so robust, e.g. kernel side could be extended by new NFACCT_F_QUOTA_* value, but client side not. In this case old version of the client side will get incorrect response for counters request. I think OS vendors should keep it in sync. I didn't find a way to support listening/reseting quota of any available type (NFACCT_F_QUOTA) per one request by only one condition. I saw the thread "[RFC PATCH libnetfilter_conntrack] add userspace dump filter". For my purpose, where I want to receive only non zero counters, the proposed way should be extended by list. NFACCT_FILTER should have NESTED type as you proposed, also it should contain array of nfacct_filter. And condition should traverse on list as well. Due receiving counters for me is a primary requirement and non zero counter is a minory optimization requirement. I decided to send a patch without key field in nfacct_filter structure at first stage. But if you wish, I could. I mean, if you want the key field and fetching by that key, it could be in this patch as well. If you ok with protocol, I'll send client side patch as well. Alexey Perevalov (1): netfilter: nfnetlink_acct: add filter support to nfacct counter list/reset include/uapi/linux/netfilter/nfnetlink_acct.h | 12 +++++ net/netfilter/Kconfig | 9 ++++ net/netfilter/nfnetlink_acct.c | 61 +++++++++++++++++++++++++ 3 files changed, 82 insertions(+) -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html