Hello, thanks for the reply.
On 10/27/2010 06:32 PM, Jan Engelhardt wrote:
On Wednesday 2010-10-27 16:42, Sandro Tosi wrote:
we are using quite a lot iptables and we'd like to gather some
stats/information to "what's doing" and hopefully also an idea of the resources
used by it (in particular cpu and ram).
1. http://forums.cacti.net/about36629.html
2. http://forums.cacti.net/about26714.html
3. http://people.netfilter.org/hawk/DDoS/2010-04-12__001/list.html
3 is very interesting, Jesper: how did you generate it? :)
JFYI, There is a lot of conntrack in there besides routing and general
machine and interface characteristics - not much Xtables to see.
I'm not sure to get your reply right, but I'm actually open to any
statistics for KPI of iptables/netfilter/conntrack/whatever - I just
would like to retrieve meaningfull information about netfilter "stack"
on these machines (and graph them, but that's unimportant here).
What I'm looking is cpu usage, and actually what netfilter does after I
add a rule to it via iptables. I think of cpu usage since I have
recently added rules that inspects the content of pkgs (using 'string'
module) and we'd like to understand what's the impact of that. Also,
having meaningful information of the netfilter operations can give us a
better understanding of the machine status/usage.
I reported those 3 links because they are actually extracting
information from what the kernel exports about NF on /proc fs, but I
can't seem to find any info about what those values are (f.e.
/proc/sys/net/netfilter/nf_conntrack_count reports ~7500 conns while
'netstat -putan | wc -l' only ~3000, why that, what's the meaning of the
values graphed and so on).
Thanks in advance,
--
Sandro Tosi
Product Engineer
Linux based Solutions
Hosting Products
R&D | Dada.pro
sandro.tosi@xxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
