You will probably get your best speed (and usability of the resultingI have a firewall currently running kernel 2.4.20, Celeron 1 GHz and 512 MB of RAM that should do traffic accounting based on single IP addresses. I thought it would be more efficient to use iptables than writing a standalone application using pcap or the like.
data) if you just use one of the accounting daemons that can be paired
with the ULOG target, and use the two rules below. Google/linux search
on "Netfilter ULOG accounting"
http://www.google.com/linux?num=100&restrict=linux&hl=en&lr=&ie=ISO- 8859-1&q=netfilter+ULOG+accounting&btnG=Google+Search
turns up some useful links... That said, if you still want to do it
directly in your ruleset, read on! :^)
This is exactly what I've been looking for, thanks a lot :) I really searched the net but didn't find anything suiting my needs ... so I ended up with a perl-Skript parsing my iptables -L -v -x -n output.
Is this the complete rule? If you don't have a target it will count andI need to add filtering rules like /sbin/iptables -A FORWARD -o eth0 -s ip_address/32 /sbin/iptables -A FORWARD -i eth0 -d ip_address/32
pass to the next rule. Since all you said you are doing is counting
that may seem OK, but it means that each packet is tested against each
and every rule...
I have -j ACCEPT as my target.
Your end result can be twelve user-defined chains, one in/one out for each subnet, and twelve rules in FORWARD.
[...]
Also, as someone else suggested, you can have a script that creates theAs I suppose that configuring a ULOG-Accounting may take some time
rules in a loop, or perhaps six (one per subnet). Fanciest and most
efficient traversal-wise would be a balanced tree of rules, (which could
bring you down to a max of 2-3 dozen tests for each packet, instead of
thousands right now) the construction of which is beyond the scope of
this reply... :^P
I will try to split up the load using those b-trees in the meantime because
I need to get this done real soon.
Thanks to all for your quick help.
Gerald
