On Mon, 4 Nov 2024 at 10:19, Nadia Pinaeva <n.m.pinaeva@xxxxxxxxx> wrote: > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > I'd suggest to add timestamping support to the trace infrastructure > > for this purpose so you can collect more accurate numbers of chain > > traversal, this can be hidden under static_key. > > Another problem with that idea is that I am building an observability tool, > so I can't modify/insert any rules, because someone else manages them. > When using conntrack events, the only change I need is enabling > nf_conntrack_timestamp. > > On Mon, 4 Nov 2024 at 10:39, Florian Westphal <fw@xxxxxxxxx> wrote: > > > > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > I'd suggest to add timestamping support to the trace infrastructure > > > for this purpose so you can collect more accurate numbers of chain > > > traversal, this can be hidden under static_key. > > > > This might work for nft and iptables-nft, but not for iptables-legacy > > (not sure its a requirement) or OVS. > (Disclaimer, I'm working with Nadia on this) one goal for the tool is to be completely passive and avoid modifying the system at runtime, so it can be used with different implementations of the Kubernetes dataplane. The use of conntracks is because we are interested in "connections" metrics, that are the ones that are more visible to users. The conntrack subsystem already has the information needed, so the more accurate the metrics the better ...