1 |
joko |
1.1 |
From: "Andreas Motl" <andreas.motl@ilo.de> |
2 |
|
|
To: <bgr@linespeed.net> |
3 |
|
|
Cc: "jonen" <jonen@netfrag.org> |
4 |
|
|
Subject: BW ACCT - Better interaction with other firewalls? |
5 |
|
|
Date: Sun, 16 Jun 2002 20:11:43 +0200 |
6 |
|
|
|
7 |
|
|
Hi Brian, |
8 |
|
|
|
9 |
|
|
we successfully use your BW ACCT - system to measure traffic to and from |
10 |
|
|
virtual hosts (freevsd, uml) running together on one main (physical) host. |
11 |
|
|
The freevsd's have their own mechanism to bridge network-traffic (i don't |
12 |
|
|
know how exactly), for the uml's we are using tun/tap. Our snmpd doesn't |
13 |
|
|
count bytes on these virtual interfaces (i read that virtual devices in |
14 |
|
|
Linux are "just" a hack to the Kernel / IP-Stack and so not comparable to |
15 |
|
|
real ones?), so we are using the iptables-mechanism via "iptables-stats.pl". |
16 |
|
|
Usually we create the accounting-chains by iterating through our IPS similar |
17 |
|
|
to "firewall.iptables.acct.start.inc" to assure having the accounting chains |
18 |
|
|
placed correctly at the top. |
19 |
|
|
|
20 |
|
|
The point is that we can not *always* be sure that this is the situation, |
21 |
|
|
because sometimes users with root-permissions insert rules to the the top of |
22 |
|
|
some input- or output-chains. |
23 |
|
|
I played around recombining some head/tail - variations ( tail -2 | |
24 |
|
|
ead -1 -> head -4 | head -1 -> head -7 | tail -1 ) ;) but that didn't |
25 |
|
|
work. I almost gave up but then tried an iptables-command on the |
26 |
|
|
command-line: |
27 |
|
|
iptables -L <chain-name> -n -v -x |
28 |
|
|
That was it! The grep can go home now, and we aren't fuzzy any more.... I |
29 |
|
|
changed the relating lines in "iptables-stats.pl" and it worked perfectly |
30 |
|
|
for us.... |
31 |
|
|
|
32 |
|
|
for "getInBytes", it would be ... |
33 |
|
|
--- snip --- |
34 |
|
|
my $command = $iptables." -L \"".$chain."\" -n -v -x | tail -2 | tail -1 |
35 |
|
|
| awk '{print \$2}'"; |
36 |
|
|
--- snip --- |
37 |
|
|
|
38 |
|
|
... for "getOutBytes": |
39 |
|
|
--- snip --- |
40 |
|
|
my $command = $iptables." -L \"".$chain."\" -n -v -x | tail -2 | head -1 |
41 |
|
|
| awk '{print \$2}'"; |
42 |
|
|
--- snip --- |
43 |
|
|
|
44 |
|
|
i hope i didn't change the order of "in" and "out" here..... |
45 |
|
|
... and - of course - i hope i didn't break anything other, which was out of |
46 |
|
|
my sight. |
47 |
|
|
|
48 |
|
|
thank you very much for writing this cool tool, |
49 |
|
|
greetings, Andi. |
50 |
|
|
|