Re: ipt_ACCOUNT 1.15 released

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Thomas Jarosch <thomas.jarosch@intra2net.com>
To: Thomas Jacob <jacob@internet24.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: ipt_ACCOUNT 1.15 released
Date: Mon, 20 Apr 2009 12:19:27 +0200	[thread overview]
Message-ID: <200904201219.28011.thomas.jarosch@intra2net.com> (raw)
In-Reply-To: <1239906586.26220.58.camel@enterprise.ims-firmen.de>

On Thursday, 16. April 2009 20:29:46 Thomas Jacob wrote:
> Also, in order to make IPv6 accounting practical, I would probably add
> some sort of subnet accounting along the following lines.
>
> -j ACCOUNT --network 1234:4567::/32 --account_mask /64
>
> which would only account packets in --network, and count data
> for a whole subnet instead of a single IP, as assigning single
> IPv6 addresses to customers is kind of silly in an ISP environment.
>
> To collect data for single IPs just use --account_mask 128.

Well, for IPv4 you can alreay use "--src 172.16.0.0/16"
and then do "-j ACCOUNT --addr 0.0.0.0/0" to merge
the complete subnet into one single IP address.

This should be possible with IPv6, too.

> Another idea, possibly useful from an ISP perspective, might be
> to only start the counters (i.e. add the entry to the hash bucket) if
> packets with the IP/subnet have arrived from a certain direction first.
>
> This way, your tables don't overflow with all the IP scans
> from the Internet.

Maybe a conntrack "state" match can help here?

> approaches taken by ipt_ACCOUNT or ipt_account. All I am interested in
> is a byte counter per target IP/subnet that can be queried once a day
> so that I know who is consuming my bandwidth. Something that passes
> each connection track to user space doesn't look so good for that.
>
> But maybe I am wrong about this, I  haven't actually tried to use it.

Me neither :-) IIRC the problem in the past was that ulogd (v1) could lose 
packets when the userspace <-> kernel communication queue was not processed
as fast as new packets arrived. Though my memory on this is quite blurry...

Thomas

next prev parent reply	other threads:[~2009-04-20 10:19 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-14 15:44 ipt_ACCOUNT 1.15 released Thomas Jarosch
2009-04-14 16:10 ` Jan Engelhardt
2009-04-15  8:11   ` Thomas Jarosch
2009-04-15  8:55     ` Jan Engelhardt
2009-04-15  9:40     ` Thomas Jacob
2009-04-16 16:34       ` Thomas Jarosch
2009-04-16 18:29         ` Thomas Jacob
2009-04-16 21:19           ` Jozsef Kadlecsik
2009-04-20 10:19           ` Thomas Jarosch [this message]
2009-04-20 11:31             ` Thomas Jacob
2009-04-20 12:12               ` Thomas Jarosch

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200904201219.28011.thomas.jarosch@intra2net.com \
    --to=thomas.jarosch@intra2net.com \
    --cc=jacob@internet24.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.