On 12 January 2015 at 13:37, Patrick McHardy <kaber@xxxxxxxxx> wrote:
> On 12.01, Pablo Neira Ayuso wrote:
>> On Mon, Jan 12, 2015 at 12:48:35PM +0100, Arturo Borrero Gonzalez wrote:
>> > On 12 January 2015 at 11:55, <ana@xxxxxxxxx> wrote:
>> > >
>> > > table ip filter {
>> > > acct http-traffic { pkts 779 bytes 99495}
>> > > acct https-traffic { pkts 189 bytes 37824}
>> > >
>> > > chain output {
>> > > type filter hook output priority 0;
>> > > tcp dport http acct http-traffic
>> > > tcp dport https acct https-traffic
>> > > }
>> > > }
>> > >
>> >
>> > Interesting, Ana!
>> >
>> > I understand that acct objects are bounded to a table/family.
>> > Why not make them globals? So we could increment same counters from
>> > different families/tables.
>>
>> Indeed. The existing binding between acct and tables is superfluous.
>> With sets, we need that to check for loops in verdict maps.
>>
>> So counters can become also top-level identifier as it happens with
>> tables, ie.
>>
>> counters {
>> http-traffic { pkts 779 bytes 99495}
>> acct https-traffic { pkts 189 bytes 37824}
>> }
>>
>> table ip filter {
>> chain output {
>> type filter hook output priority 0;
>> tcp dport http counter http-traffic
>> tcp dport https counter https-traffic
>> }
>> }
>>
>> Patrick, any comment on that?
>
> I'm unsure, we don't have any global objects so far, this might open
> another can of flushing/ordering etc problems. If it works without
> problems, I can see both variants being useful. Given that we only
> need a list to store them we might be able to support both by minor
> adjustments to the lookup function.
>
> If we do actually want to support both, I'd suggest to start using
> just table scope and expand it later.
Ok :-)
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
