patches/bwacct/better_interaction_with_firewalls.txt

From: "Andreas Motl" <andreas.motl@ilo.de>
To: <bgr@linespeed.net>
Cc: "jonen" <jonen@netfrag.org>
Subject: BW ACCT - Better interaction with other firewalls?
Date: Sun, 16 Jun 2002 20:11:43 +0200

Hi Brian,

we successfully use your BW ACCT - system to measure traffic to and from
virtual hosts (freevsd, uml) running together on one main (physical) host.
The freevsd's have their own mechanism to bridge network-traffic (i don't
know how exactly), for the uml's we are using tun/tap. Our snmpd doesn't
count bytes on these virtual interfaces (i read that virtual devices in
Linux are "just" a hack to the Kernel / IP-Stack and so not comparable to
real ones?), so we are using the iptables-mechanism via "iptables-stats.pl".
Usually we create the accounting-chains by iterating through our IPS similar
to "firewall.iptables.acct.start.inc" to assure having the accounting chains
placed correctly at the top.

The point is that we can not *always* be sure that this is the situation,
because sometimes users with root-permissions insert rules to the the top of
some input- or output-chains.
I played around recombining some head/tail - variations ( tail -2 |
ead -1  ->  head -4 | head -1  -> head -7 | tail -1 ) ;) but that didn't
work. I almost gave up but then tried an iptables-command on the
command-line:
    iptables -L <chain-name> -n -v -x
That was it! The grep can go home now, and we aren't fuzzy any more.... I
changed the relating lines in "iptables-stats.pl" and it worked perfectly
for us....

for "getInBytes", it would be ...
--- snip ---
    my $command = $iptables." -L \"".$chain."\" -n -v -x | tail -2 | tail -1
| awk '{print \$2}'";
--- snip ---

... for "getOutBytes":
--- snip ---
    my $command = $iptables." -L \"".$chain."\" -n -v -x | tail -2 | head -1
| awk '{print \$2}'";
--- snip ---

i hope i didn't change the order of "in" and "out" here.....
... and - of course - i hope i didn't break anything other, which was out of
my sight.

thank you very much for writing this cool tool,
greetings, Andi.

1	From: "Andreas Motl" <andreas.motl@ilo.de>
2	To: <bgr@linespeed.net>
3	Cc: "jonen" <jonen@netfrag.org>
4	Subject: BW ACCT - Better interaction with other firewalls?
5	Date: Sun, 16 Jun 2002 20:11:43 +0200
6
7	Hi Brian,
8
9	we successfully use your BW ACCT - system to measure traffic to and from
10	virtual hosts (freevsd, uml) running together on one main (physical) host.
11	The freevsd's have their own mechanism to bridge network-traffic (i don't
12	know how exactly), for the uml's we are using tun/tap. Our snmpd doesn't
13	count bytes on these virtual interfaces (i read that virtual devices in
14	Linux are "just" a hack to the Kernel / IP-Stack and so not comparable to
15	real ones?), so we are using the iptables-mechanism via "iptables-stats.pl".
16	Usually we create the accounting-chains by iterating through our IPS similar
17	to "firewall.iptables.acct.start.inc" to assure having the accounting chains
18	placed correctly at the top.
19
20	The point is that we can not always be sure that this is the situation,
21	because sometimes users with root-permissions insert rules to the the top of
22	some input- or output-chains.
23	I played around recombining some head/tail - variations ( tail -2 \|
24	ead -1 -> head -4 \| head -1 -> head -7 \| tail -1 ) ;) but that didn't
25	work. I almost gave up but then tried an iptables-command on the
26	command-line:
27	iptables -L <chain-name> -n -v -x
28	That was it! The grep can go home now, and we aren't fuzzy any more.... I
29	changed the relating lines in "iptables-stats.pl" and it worked perfectly
30	for us....
31
32	for "getInBytes", it would be ...
33	--- snip ---
34	my $command = $iptables." -L \"".$chain."\" -n -v -x \| tail -2 \| tail -1
35	\| awk '{print \$2}'";
36	--- snip ---
37
38	... for "getOutBytes":
39	--- snip ---
40	my $command = $iptables." -L \"".$chain."\" -n -v -x \| tail -2 \| head -1
41	\| awk '{print \$2}'";
42	--- snip ---
43
44	i hope i didn't change the order of "in" and "out" here.....
45	... and - of course - i hope i didn't break anything other, which was out of
46	my sight.
47
48	thank you very much for writing this cool tool,
49	greetings, Andi.
50
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26