From: Bob Miller <bob@computerisms.ca>
To: "Yucong Sun (叶雨飞)" <sunyucong@gmail.com>
Cc: Eric Leblond <eric@regit.org>, netfilter@vger.kernel.org
Subject: Re: per host accounting
Date: Wed, 25 Jul 2012 15:10:05 -0700 [thread overview]
Message-ID: <1343254205.2094.75.camel@worklian> (raw)
In-Reply-To: <CAJygYd2f0P7kJmVtAcPEJ+oSpSfqVtYN4ksWw4qqe7=_ELdg6w@mail.gmail.com>
On Mon, 2012-07-23 at 15:27 -0700, Yucong Sun (叶雨飞) wrote:
> Thanks for the reply, Yeah I'm aware all of that you have mentioned,
> please allow me to elaborate my requirements a little more.
>
> I have about 500 IPs behind a router, and I want have something on my
> router to monitor the ingress bps/pps to each specific IP. And I would
> like to have a cron job that scans the result and find the top 5 IP
> with most bps/pps and also do some action against it, calling a
> script, sending a email etc.
Have you checked out the ACCOUNT target out of the xtables-addons? You
still need to create cron jobs and a script, but it should be able to do
what you are looking for without too much load...
>
> So, It seems none of the existing stuff allows me to do this, the
> easiest brain-dead solution I can think of is to just create a chain
> with 500 rules in it, and have a cron job to cacluate the bytes
> difference every time it executes. Obviously, this will introduce a
> lot of delays, I'm hoping to have something that basically don't
> affect performance too much and or something to just generates a table
> of ip / accumulative packets / accumulative bytes, and I will be able
> to work with that.
>
> On Mon, Jul 23, 2012 at 1:00 AM, Eric Leblond <eric@regit.org> wrote:
> >
> > Hello,
> >
> > Le dimanche 22 juillet 2012 à 20:22 -0700, Yucong Sun (叶雨飞) a écrit :
> > > Hi,
> > >
> > > I need a way to account traffic (bytes) for ~500 ips (fixed), and it
> > > seems creating a plain 500 rules will affect the performance a lot.
> > > Without implement layered rule (like a binary search?) , is there
> > > something existing to do automatic hashing?
> > > Things like hashlimit is great, but I don't need limit matching
> > > function, just a way to create a hashtable and count bytes and
> > > packets.
> > >
> > > If there's none, I suppose it would easy enough to fork some hashlimit
> > > code to do this.
> >
> > You can have a look at how ulogd2 and nfacct can be used for accounting:
> > https://home.regit.org/2012/07/flow-accounting-with-netfilter-and-ulogd2/
> >
> > BR,
> > --
> > Eric Leblond
> > Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
bob@computerisms.ca
Network, Internet, Server,
and Open Source Solutions
prev parent reply other threads:[~2012-07-25 22:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-23 3:22 per host accounting Yucong Sun (叶雨飞)
2012-07-23 6:58 ` Tom van Leeuwen
2012-07-23 8:00 ` Eric Leblond
2012-07-23 22:27 ` Yucong Sun (叶雨飞)
2012-07-25 10:19 ` Pablo Neira Ayuso
2012-07-25 14:21 ` Peter Phaal
2012-07-25 22:10 ` Bob Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1343254205.2094.75.camel@worklian \
--to=bob@computerisms.ca \
--cc=eric@regit.org \
--cc=netfilter@vger.kernel.org \
--cc=sunyucong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).