On 16 March 2016 at 12:16, Miguel Angel Ajo Pelayo <majopela@xxxxxxxxxx> wrote: > I was considering the possibility of making an small contribution to > conntrack-tool > to allow the batching of commands in a single conntrack-tool call. > > Specifically I'm interested in batching delete commands. > > In some of the neutron reference implementations we make use of conntrack-tool > to target and kill any active connection when security group rules are removed. > > That sometimes expands in thousands of calls due to combinations (worst > scenario is n_port^2 calls for a very common type of rule we have). > > > So I was considering two options: > > 1) Adding a mode to accept conntrack-tool actions via stdin > 2) Accepting the cmdline notation of separating multiple command lines > with "--" in a single call to conntrack tool. > > > Any thoughts or recommendations in this regard? > Hi Miguel Angel, I wonder if the kernel support batching of messages in ctnetlink. You may want to check the sources [0][1]. Perhaps you want the conntrack utility to simply chain a lot of calls to the kernel rather than a proper batch of messages. In this case, I don't know exactly why but I like more your 2) option. [0] http://lxr.free-electrons.com/source/net/netfilter/nf_conntrack_netlink.c#L3260 [1] http://lxr.free-electrons.com/source/net/netfilter/nfnetlink.c#L282 -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
