On Tue, Dec 14, 2010 at 11:28:33AM +0100, René Hummen wrote: > On 14.12.2010, at 02:50, Christof Mroz wrote: > > On Mon, 13 Dec 2010 23:40:41 +0100, Stefan Götz > > <stefan.goetz@xxxxxxxxxxxxxxxxx> wrote: > > > >>> === modified file 'firewall/conntrack.c' > >>> --- firewall/conntrack.c 2010-12-13 19:09:27 +0000 > >>> +++ firewall/conntrack.c 2010-12-13 21:28:35 +0000 > >>> @@ -50,6 +52,7 @@ > > > > [ ... more than 100 lines of unrelated context ...] > > > >>> @@ -1956,3 +2088,273 @@ > >>> + > >>> +/** > >>> + * Info about currently set esp rules and their respective packet counts. > >>> + */ > >>> +struct esp_rule_status { > >>> + uint32_t spi; /**< security parameter index */ > >>> + struct in6_addr addr; /**< dest address (may be IPV4-mapped) > >>> */ > >>> + unsigned int packet_count; /**< number of packets received */ > >>> +}; > >> > >> It seems that quite a bit of effort went into the periodic clean-up of > >> the iptables rules. Would it be possible to simply reset the iptables > >> counters periodically to 0 (iptables -Z <table name>) and then only > >> remove those rules where the counters are still zero after another > >> period? If that works, it should be a lot simpler than the method used > >> here. > > > > I remember discussing zeroing with René either on the list or in > > real-life and it was considered too confusing (clobbering "globally > > visible" data, relying on "iptables -nLv" output seems to be > > common). Maybe we weren't aware that zeroing individual chains > > (rather than all) is possible back then. It would indeed do away > > with the packet counter, and I'm in favor of that. > > Yes, we didn't consider that. So, I'm fine with zeroing. Snipping quotes very much appreciated, thank you :) Diego