From mboxrd@z Thu Jan 1 00:00:00 1970 From: Srinivasa T N Subject: Re: Double rules for using NETFLOW? Date: Thu, 03 Feb 2011 10:45:48 +0530 Message-ID: <4D4A3A04.20505@linux.vnet.ibm.com> References: <4D492B87.5050008@linux.vnet.ibm.com> <4D499ACA.2040603@riverviewtech.net> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4D499ACA.2040603@riverviewtech.net> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Mail List - Netfilter On Wednesday 02 February 2011 11:26 PM, Grant Taylor wrote: > On 2/2/2011 4:01 AM, Srinivasa T N wrote: >> I am using ipt_NETFLOW 1.7 on my RHEL 6 (2.6.32) box. Now if I want to >> accept packet destined for some port and at the same time I want it to >> be accounted also, then I have to use the following rules: > > I take it that the accounting you want is more than the simple packet / > byte counters that already exist. But how will I have access to the counters from my user land app? > >> iptables -A INPUT --dport -j NETFLOW >> iptables -A INPUT --dport -j ACCEPT >> >> This makes that every packet that I accept should have two rules (one >> for accepting and one for accounting). Don't you people think that it >> will increase the number of rules a packet has to traverse? Or is my >> understanding wrong? > > You could do something like this: > > iptables -N myChain > iptables -A myChain -j NETFLOW > iptables -A myChain -j ACCEPT > > iptables -A INPUT --dport -j myChain > > Doing this will reduce the number of matches that have to be performed > and allow the (sub)chain to simply apply actions to the packets. > > This might seem like over kill with your simple example, but when you > start putting multiple matches on each rule, or have more actions in > sequence (i.e. LOG) you start gaining more quickly. Further if you have > other rules that are matching other packets, they will not have to > traverse the condition that they will not match more than one time. > > IPTables gives you a skeleton that you can do a lot of different things > in. It's really up to you how you put it together and how you optimize > rule traversal. > > In some ways I could liken IPTables (and brethren) to a simple > programming language. As such, it's not the language its self that is > the limitation, just your imagination on how you use said language. :-) > > > > Grant. . . . > -- Regards, Seenu.