• Krzysztof Piotr Oledzki's avatar
    netfilter: accounting rework: ct_extend + 64bit counters (v4) · 58401572
    Krzysztof Piotr Oledzki authored
    Initially netfilter has had 64bit counters for conntrack-based accounting, but
    it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
    still required, for example for "connbytes" extension. However, 64bit counters
    waste a lot of memory and it was not possible to enable/disable it runtime.
    
    This patch:
     - reimplements accounting with respect to the extension infrastructure,
     - makes one global version of seq_print_acct() instead of two seq_print_counters(),
     - makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
     - makes it possible to enable/disable it at runtime by sysctl or sysfs,
     - extends counters from 32bit to 64bit,
     - renames ip_conntrack_counter -> nf_conn_counter,
     - enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
     - set initial accounting enable state based on CONFIG_NF_CT_ACCT
     - removes buggy IPCT_COUNTER_FILLING event handling.
    
    If accounting is enabled newly created connections get additional acct extend.
    Old connections are not changed as it is not possible to add a ct_extend area
    to confirmed conntrack. Accounting is performed for all connections with
    acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
    Signed-off-by: default avatarKrzysztof Piotr Oledzki <ole@ans.pl>
    Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    58401572
kernel-parameters.txt 70.2 KB