Hi there, i'd like to start an discussion for a feature, to be integrated into the netfilter code. Let's assume a connection would have two additional fields, e.g. uint32 uCounter boolean bLOGFIN you could easily count the bytes for each connection within uCounter. Additionally the log flag could be used for logging purposes, when the connection is destroyed (either through FIN or through conntrack timeout), to mark that connection should be logged when it will be removed from memory. Basically I'm thinking of a kernel-LOG output like this: Oct 29 02:26:55 goethe kernel: DIR=out IN=eth0 OUT=ppp0 SRC=10.10.10.4 DST=64.12.161.185 ID=10971 PROTO=TCP SPT=4732 DPT=5190 LEN=47123 Which is nothing new for a modern conntrack system. I can not oversee the consequences for other netfilter modules if the connection struct would be extended. So any core developer's comment would also be appriciated... I´d also like to hear comments or maybe any other ideas to realize this behaviour without pumping every pkt to the userspace or using a time consuming libpcap implementation. Greetings from Germany Michael +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Yesterday is history, Tomorrow is a mystery but Today is a gift. That's why they call it present.. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
