On Thu, Mar 1, 2018 at 12:09 AM, Florian Westphal <fw@xxxxxxxxx> wrote: > Yi-Hung Wei <yihung.wei@xxxxxxxxx> wrote: >> Currently, nf_conncount_count() counts the number of connections that >> matches key and inserts a conntrack 'tuple' associated with the key into >> the accounting data structure. This patch supports another use case that >> only counts the number of connections associated with the key without >> providing a 'tuple'. Therefore, proper changes are made on >> nf_conncount_count() to support the case where 'tuple' is NULL. > > Normal use case is to combine this with another match to only lookup > start of a connection (-p tcp --syn in iptables, or -m conntrack > --ctstate NEW and the like). > > Could you perhaps illustrate how this is going to be used? > I am thinking about to use the nf_conncount backend to limit the number of connections in particular zones for OVS. A use case for us is to query the number of connections in particular zone without adding a new entry to that zone. This is could be useful for querying statistics or debugging purpose. Thanks, -Yi-Hung -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
