| 1 |
joko |
1.1 |
From: "Andreas Motl" <andreas.motl@ilo.de> |
| 2 |
|
|
To: <bgr@linespeed.net> |
| 3 |
|
|
Cc: "jonen" <jonen@netfrag.org> |
| 4 |
|
|
Subject: BW ACCT - Better interaction with other firewalls? |
| 5 |
|
|
Date: Sun, 16 Jun 2002 20:11:43 +0200 |
| 6 |
|
|
|
| 7 |
|
|
Hi Brian, |
| 8 |
|
|
|
| 9 |
|
|
we successfully use your BW ACCT - system to measure traffic to and from |
| 10 |
|
|
virtual hosts (freevsd, uml) running together on one main (physical) host. |
| 11 |
|
|
The freevsd's have their own mechanism to bridge network-traffic (i don't |
| 12 |
|
|
know how exactly), for the uml's we are using tun/tap. Our snmpd doesn't |
| 13 |
|
|
count bytes on these virtual interfaces (i read that virtual devices in |
| 14 |
|
|
Linux are "just" a hack to the Kernel / IP-Stack and so not comparable to |
| 15 |
|
|
real ones?), so we are using the iptables-mechanism via "iptables-stats.pl". |
| 16 |
|
|
Usually we create the accounting-chains by iterating through our IPS similar |
| 17 |
|
|
to "firewall.iptables.acct.start.inc" to assure having the accounting chains |
| 18 |
|
|
placed correctly at the top. |
| 19 |
|
|
|
| 20 |
|
|
The point is that we can not *always* be sure that this is the situation, |
| 21 |
|
|
because sometimes users with root-permissions insert rules to the the top of |
| 22 |
|
|
some input- or output-chains. |
| 23 |
|
|
I played around recombining some head/tail - variations ( tail -2 | |
| 24 |
|
|
ead -1 -> head -4 | head -1 -> head -7 | tail -1 ) ;) but that didn't |
| 25 |
|
|
work. I almost gave up but then tried an iptables-command on the |
| 26 |
|
|
command-line: |
| 27 |
|
|
iptables -L <chain-name> -n -v -x |
| 28 |
|
|
That was it! The grep can go home now, and we aren't fuzzy any more.... I |
| 29 |
|
|
changed the relating lines in "iptables-stats.pl" and it worked perfectly |
| 30 |
|
|
for us.... |
| 31 |
|
|
|
| 32 |
|
|
for "getInBytes", it would be ... |
| 33 |
|
|
--- snip --- |
| 34 |
|
|
my $command = $iptables." -L \"".$chain."\" -n -v -x | tail -2 | tail -1 |
| 35 |
|
|
| awk '{print \$2}'"; |
| 36 |
|
|
--- snip --- |
| 37 |
|
|
|
| 38 |
|
|
... for "getOutBytes": |
| 39 |
|
|
--- snip --- |
| 40 |
|
|
my $command = $iptables." -L \"".$chain."\" -n -v -x | tail -2 | head -1 |
| 41 |
|
|
| awk '{print \$2}'"; |
| 42 |
|
|
--- snip --- |
| 43 |
|
|
|
| 44 |
|
|
i hope i didn't change the order of "in" and "out" here..... |
| 45 |
|
|
... and - of course - i hope i didn't break anything other, which was out of |
| 46 |
|
|
my sight. |
| 47 |
|
|
|
| 48 |
|
|
thank you very much for writing this cool tool, |
| 49 |
|
|
greetings, Andi. |
| 50 |
|
|
|
Parent Directory
| 
Revision Log
