Yi-Hung Wei <yihung.wei@xxxxxxxxx> wrote: > On Thu, Mar 1, 2018 at 12:09 AM, Florian Westphal <fw@xxxxxxxxx> wrote: > > Yi-Hung Wei <yihung.wei@xxxxxxxxx> wrote: > >> Currently, nf_conncount_count() counts the number of connections that > >> matches key and inserts a conntrack 'tuple' associated with the key into > >> the accounting data structure. This patch supports another use case that > >> only counts the number of connections associated with the key without > >> providing a 'tuple'. Therefore, proper changes are made on > >> nf_conncount_count() to support the case where 'tuple' is NULL. > > > > Normal use case is to combine this with another match to only lookup > > start of a connection (-p tcp --syn in iptables, or -m conntrack > > --ctstate NEW and the like). > > > > Could you perhaps illustrate how this is going to be used? > > > > I am thinking about to use the nf_conncount backend to limit the number > of connections in particular zones for OVS. A use case for us is to > query the number of connections in particular zone without adding > a new entry to that zone. This is could be useful for querying statistics > or debugging purpose. Ok, fair enough, thanks for explaining this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
