/[cvs]/nfo/patches/bwacct/better_interaction_with_firewalls.txt
ViewVC logotype

Annotation of /nfo/patches/bwacct/better_interaction_with_firewalls.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.1 - (hide annotations)
Fri Nov 8 02:17:25 2002 UTC (21 years, 4 months ago) by joko
Branch: MAIN
CVS Tags: HEAD
File MIME type: text/plain
no message

1 joko 1.1 From: "Andreas Motl" <andreas.motl@ilo.de>
2     To: <bgr@linespeed.net>
3     Cc: "jonen" <jonen@netfrag.org>
4     Subject: BW ACCT - Better interaction with other firewalls?
5     Date: Sun, 16 Jun 2002 20:11:43 +0200
6    
7     Hi Brian,
8    
9     we successfully use your BW ACCT - system to measure traffic to and from
10     virtual hosts (freevsd, uml) running together on one main (physical) host.
11     The freevsd's have their own mechanism to bridge network-traffic (i don't
12     know how exactly), for the uml's we are using tun/tap. Our snmpd doesn't
13     count bytes on these virtual interfaces (i read that virtual devices in
14     Linux are "just" a hack to the Kernel / IP-Stack and so not comparable to
15     real ones?), so we are using the iptables-mechanism via "iptables-stats.pl".
16     Usually we create the accounting-chains by iterating through our IPS similar
17     to "firewall.iptables.acct.start.inc" to assure having the accounting chains
18     placed correctly at the top.
19    
20     The point is that we can not *always* be sure that this is the situation,
21     because sometimes users with root-permissions insert rules to the the top of
22     some input- or output-chains.
23     I played around recombining some head/tail - variations ( tail -2 |
24     ead -1 -> head -4 | head -1 -> head -7 | tail -1 ) ;) but that didn't
25     work. I almost gave up but then tried an iptables-command on the
26     command-line:
27     iptables -L <chain-name> -n -v -x
28     That was it! The grep can go home now, and we aren't fuzzy any more.... I
29     changed the relating lines in "iptables-stats.pl" and it worked perfectly
30     for us....
31    
32     for "getInBytes", it would be ...
33     --- snip ---
34     my $command = $iptables." -L \"".$chain."\" -n -v -x | tail -2 | tail -1
35     | awk '{print \$2}'";
36     --- snip ---
37    
38     ... for "getOutBytes":
39     --- snip ---
40     my $command = $iptables." -L \"".$chain."\" -n -v -x | tail -2 | head -1
41     | awk '{print \$2}'";
42     --- snip ---
43    
44     i hope i didn't change the order of "in" and "out" here.....
45     ... and - of course - i hope i didn't break anything other, which was out of
46     my sight.
47    
48     thank you very much for writing this cool tool,
49     greetings, Andi.
50    

MailToCvsAdmin">MailToCvsAdmin
ViewVC Help
Powered by ViewVC 1.1.26 RSS 2.0 feed