From: Andrew Beverley <andy@andybev.com>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Ed W <lists@wildgooses.com>, Netfilter <netfilter@vger.kernel.org>
Subject: Re: High accuracy bandwidth accounting?
Date: Mon, 16 May 2011 07:43:28 +0100 [thread overview]
Message-ID: <1305528208.2041.8.camel@andybev-desktop> (raw)
In-Reply-To: <alpine.LNX.2.01.1105151103490.30189@obet.zrqbmnf.qr>
On Sun, 2011-05-15 at 11:08 +0200, Jan Engelhardt wrote:
> On Sunday 2011-05-15 09:23, Andrew Beverley wrote:
>
> >On Sun, 2011-05-15 at 00:33 +0200, Jan Engelhardt wrote:
> >> On Saturday 2011-05-14 18:29, Andrew Beverley wrote:
> >>
> >> >On Sat, 2011-05-14 at 14:36 +0100, Ed W wrote:
> >> >
> >> >Okay, I've played around with this myself using a similar scenario. It
> >> >looks to me like the packets *are* making it into the conntrack system.
> >> >
> >> >I tried setting a LOG target to match those packets with a ctstate of
> >> >RELATED:
> >> >
> >> >iptables -A INPUT -p ICMP -m conntrack --ctstate RELATED -j LOG
> >> >
> >> >And they were indeed logged. But there was no visibility of them using
> >> >the conntrack userspace program.
> >>
> >> Does `conntrack -L` show anything for you at all?
> >
> >Yes, it shows the outgoing packets:
> >
> >udp 17 23 src=10.0.10.206 dst=212.110.185.119 sport=35259 dport=53
> >packets=3 bytes=168 [UNREPLIED] src=212.110.185.119 dst=10.0.10.206
> >sport=53 dport=35259 packets=0 bytes=0 mark=0 secmark=0 use=2
> >
> >But it doesn't show the "ICMP port unreachable" packets that are sent in
> >reply. The question is: should it show them?
>
> conntrack -L shows pseudo/NFCT-style connections, not packets.
Sorry, when I say it doesn't show them, I mean they are not counted. The
conntrack entry for that connection only shows a packet count in one
direction. It shows zero in the other direction.
> As for
> ICMP port unreachable, either its classification is
> - INVALID, in which case there is no CT to show
> - a reply, in which case it is part of the shown CT - and the event
> monitor will show an UPDATE
> - RELATED, in which case a new CT is shown - and which may disappear
> shortly after due to a short lifetime - the event monitor should show
> NEW I think.
The ones in this case are coming in as RELATED.
>
> Monitor with conntrack -E for details.
>
conntrack -E -d 212.110.185.119 gives:
[NEW] udp 17 30 src=10.0.10.206 dst=212.110.185.119 sport=35676 dport=53 [UNREPLIED] src=212.110.185.119 dst=10.0.10.206 sport=53 dport=35676
[DESTROY] udp 17 src=10.0.10.206 dst=212.110.185.119 sport=35676 dport=53 [UNREPLIED] src=212.110.185.119 dst=10.0.10.206 sport=53 dport=35676
But conntrack -E -s 212.110.185.119 gives nothing
So they do not seem to be counted anywhere.
> >> There is/was a
> >> short intermediate time when it would not return anything.
> >
> >Do you mean there was a time when a particular version of conntrack
> >would not return anything?
>
> Yes, see kernel commit cba85b532e4aabdb97f44c18987d45141fd93faa that
> (the fix) for details.
I upgraded the kernel to 2.6.38.6 just in case, but the same still
happens.
Thanks,
Andy
next prev parent reply other threads:[~2011-05-16 6:43 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-09 14:12 High accuracy bandwidth accounting? Ed W
2011-05-09 21:45 ` Andrew Beverley
2011-05-09 22:07 ` Ed W
2011-05-09 22:16 ` Andrew Beverley
2011-05-09 22:49 ` Ed W
2011-05-11 14:30 ` Ed W
2011-05-12 0:01 ` Andrew Beverley
2011-05-12 22:17 ` Ed W
2011-05-12 22:27 ` Andrew Beverley
2011-05-09 23:23 ` Ed W
2011-05-14 9:23 ` Andrew Beverley
2011-05-14 13:36 ` Ed W
2011-05-14 16:29 ` Andrew Beverley
2011-05-14 22:33 ` Jan Engelhardt
2011-05-15 7:23 ` Andrew Beverley
2011-05-15 9:08 ` Jan Engelhardt
2011-05-16 6:43 ` Andrew Beverley [this message]
2011-05-16 7:23 ` Jan Engelhardt
2011-05-22 21:22 ` Andrew Beverley
2011-05-16 14:35 ` Ed W
2011-05-16 14:59 ` Jan Engelhardt
2011-05-16 16:53 ` Ed W
2011-05-14 9:48 ` Marek Kierdelewicz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1305528208.2041.8.camel@andybev-desktop \
--to=andy@andybev.com \
--cc=jengelh@medozas.de \
--cc=lists@wildgooses.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.