Great Stuff! On Wed, Dec 14, 2011 at 7:00 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Wed, Dec 14, 2011 at 09:12:52PM +0800, Changli Gao wrote: >> On Wed, Dec 14, 2011 at 7:00 PM, <pablo@xxxxxxxxxxxxx> wrote: >> > From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> >> > >> > Hi! >> > >> > We currently have two ways to account traffic in netfilter: >> > >> > - iptables chain and rule counters: >> > >> > # iptables -L -n -v >> > Chain INPUT (policy DROP 3 packets, 867 bytes) >> > pkts bytes target prot opt in out source destinat >> > 8 1104 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/ >> > >> > - use flow-based accounting provided by ctnetlink: >> > >> > # conntrack -L >> > tcp 6 431999 ESTABLISHED src=192.168.1.130 dst=212.106.219.168 sport=58 >> > >> > While trying to display real-time accounting statistics, we require >> > to pool the kernel periodically to obtain this information. This is >> > OK if the number of flows is relatively low. However, in case that >> > the number of flows is huge, we can spend a considerable amount of >> > cycles to iterate over the list of flows that have been obtained. >> > >> > Moreover, if we want to obtain the sum of the flow accounting results >> > that match some criteria, we have to iterate over the whole list of >> > existing flows, look for matchings and update the counters. >> > >> > This patchset adds the extended accounting infrastructure in >> > kernel-space. It is composed of one nfnetlink interface that >> > allows you to create, to update and to retrieve accounting objects. >> > These objects can be used to account traffic with the flexibility >> > that iptables rules provide (by means of the new NFACCT target). >> > >> > Quick example of use: >> > >> > 1) You create the accounting object: >> > >> > libnetfilter_acct/examples# ./nfacct-add http-traffic >> > >> > 2) Add the iptables rules for traffic you want to account: >> > >> > # iptables -I INPUT -p tcp --sport 80 -j NFACCT --nfacct-name http-traffic >> > # iptables -I OUTPUT -p tcp --dport 80 -j NFACCT --nfacct-name http-traffic >> > >> >> Why not use the counters of iptables instead? >> >> iptables-save -c > > If you want to obtain the sum of the counters that match some criteria, > you have to iterate over the whole list of existing rules, look for > matchings and update the counters. > > Moreover, if you have a large rule-set, polling periodically > iptables-save -c can be expensive. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
