[hipl-dev] Re: [Merge] lp:~diego-biurrun/hipl/hipfw-performance into lp:hipl
- From: Diego Biurrun <diego@xxxxxxxxxx>
- To: hipl-dev@xxxxxxxxxxxxx
- Date: Tue, 14 Dec 2010 15:19:11 +0100
On Tue, Dec 14, 2010 at 11:28:33AM +0100, René Hummen wrote:
> On 14.12.2010, at 02:50, Christof Mroz wrote:
> > On Mon, 13 Dec 2010 23:40:41 +0100, Stefan Götz
> > <stefan.goetz@xxxxxxxxxxxxxxxxx> wrote:
> >
> >>> === modified file 'firewall/conntrack.c'
> >>> --- firewall/conntrack.c 2010-12-13 19:09:27 +0000
> >>> +++ firewall/conntrack.c 2010-12-13 21:28:35 +0000
> >>> @@ -50,6 +52,7 @@
> >
> > [ ... more than 100 lines of unrelated context ...]
> >
> >>> @@ -1956,3 +2088,273 @@
> >>> +
> >>> +/**
> >>> + * Info about currently set esp rules and their respective packet counts.
> >>> + */
> >>> +struct esp_rule_status {
> >>> + uint32_t spi; /**< security parameter index */
> >>> + struct in6_addr addr; /**< dest address (may be IPV4-mapped)
> >>> */
> >>> + unsigned int packet_count; /**< number of packets received */
> >>> +};
> >>
> >> It seems that quite a bit of effort went into the periodic clean-up of
> >> the iptables rules. Would it be possible to simply reset the iptables
> >> counters periodically to 0 (iptables -Z <table name>) and then only
> >> remove those rules where the counters are still zero after another
> >> period? If that works, it should be a lot simpler than the method used
> >> here.
> >
> > I remember discussing zeroing with René either on the list or in
> > real-life and it was considered too confusing (clobbering "globally
> > visible" data, relying on "iptables -nLv" output seems to be
> > common). Maybe we weren't aware that zeroing individual chains
> > (rather than all) is possible back then. It would indeed do away
> > with the packet counter, and I'm in favor of that.
>
> Yes, we didn't consider that. So, I'm fine with zeroing.
Snipping quotes very much appreciated, thank you :)
Diego
Other related posts: