On 12/01/15 21:43, Arturo Borrero Gonzalez wrote:
> On 12 January 2015 at 13:37, Patrick McHardy <kaber@xxxxxxxxx> wrote:
>> On 12.01, Pablo Neira Ayuso wrote:
>>> On Mon, Jan 12, 2015 at 12:48:35PM +0100, Arturo Borrero Gonzalez wrote:
>>>> On 12 January 2015 at 11:55, <ana@xxxxxxxxx> wrote:
>>>>>
>>>>> table ip filter {
>>>>> acct http-traffic { pkts 779 bytes 99495}
>>>>> acct https-traffic { pkts 189 bytes 37824}
>>>>>
>>>>> chain output {
>>>>> type filter hook output priority 0;
>>>>> tcp dport http acct http-traffic
>>>>> tcp dport https acct https-traffic
>>>>> }
>>>>> }
>>>>>
>>>>
>>>> Interesting, Ana!
>>>>
>>>> I understand that acct objects are bounded to a table/family.
>>>> Why not make them globals? So we could increment same counters from
>>>> different families/tables.
>>>
>>> Indeed. The existing binding between acct and tables is superfluous.
>>> With sets, we need that to check for loops in verdict maps.
>>>
>>> So counters can become also top-level identifier as it happens with
>>> tables, ie.
>>>
>>> counters {
>>> http-traffic { pkts 779 bytes 99495}
>>> acct https-traffic { pkts 189 bytes 37824}
>>> }
>>>
>>> table ip filter {
>>> chain output {
>>> type filter hook output priority 0;
>>> tcp dport http counter http-traffic
>>> tcp dport https counter https-traffic
>>> }
>>> }
>>>
>>> Patrick, any comment on that?
>>
>> I'm unsure, we don't have any global objects so far, this might open
>> another can of flushing/ordering etc problems. If it works without
>> problems, I can see both variants being useful. Given that we only
>> need a list to store them we might be able to support both by minor
>> adjustments to the lookup function.
>>
>> If we do actually want to support both, I'd suggest to start using
>> just table scope and expand it later.
>
> Ok :-)
ok.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
