On Wed, Dec 14, 2011 at 7:00 PM, <pablo@xxxxxxxxxxxxx> wrote: > From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > > Hi! > > We currently have two ways to account traffic in netfilter: > > - iptables chain and rule counters: > > # iptables -L -n -v > Chain INPUT (policy DROP 3 packets, 867 bytes) > pkts bytes target prot opt in out source destinat > 8 1104 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/ > > - use flow-based accounting provided by ctnetlink: > > # conntrack -L > tcp 6 431999 ESTABLISHED src=192.168.1.130 dst=212.106.219.168 sport=58 > > While trying to display real-time accounting statistics, we require > to pool the kernel periodically to obtain this information. This is > OK if the number of flows is relatively low. However, in case that > the number of flows is huge, we can spend a considerable amount of > cycles to iterate over the list of flows that have been obtained. > > Moreover, if we want to obtain the sum of the flow accounting results > that match some criteria, we have to iterate over the whole list of > existing flows, look for matchings and update the counters. > > This patchset adds the extended accounting infrastructure in > kernel-space. It is composed of one nfnetlink interface that > allows you to create, to update and to retrieve accounting objects. > These objects can be used to account traffic with the flexibility > that iptables rules provide (by means of the new NFACCT target). > > Quick example of use: > > 1) You create the accounting object: > > libnetfilter_acct/examples# ./nfacct-add http-traffic > > 2) Add the iptables rules for traffic you want to account: > > # iptables -I INPUT -p tcp --sport 80 -j NFACCT --nfacct-name http-traffic > # iptables -I OUTPUT -p tcp --dport 80 -j NFACCT --nfacct-name http-traffic > Why not use the counters of iptables instead? iptables-save -c -- Regards, Changli Gao(xiaosuo@xxxxxxxxx) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
