From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Yucong Sun (叶雨飞)" <sunyucong@gmail.com>
Cc: Eric Leblond <eric@regit.org>, netfilter@vger.kernel.org
Subject: Re: per host accounting
Date: Wed, 25 Jul 2012 12:19:51 +0200 [thread overview]
Message-ID: <20120725101951.GA22430@1984> (raw)
In-Reply-To: <CAJygYd2f0P7kJmVtAcPEJ+oSpSfqVtYN4ksWw4qqe7=_ELdg6w@mail.gmail.com>
On Mon, Jul 23, 2012 at 03:27:08PM -0700, Yucong Sun (叶雨飞) wrote:
> Thanks for the reply, Yeah I'm aware all of that you have mentioned,
> please allow me to elaborate my requirements a little more.
>
> I have about 500 IPs behind a router, and I want have something on my
> router to monitor the ingress bps/pps to each specific IP. And I would
> like to have a cron job that scans the result and find the top 5 IP
> with most bps/pps and also do some action against it, calling a
> script, sending a email etc.
>
> So, It seems none of the existing stuff allows me to do this.
You can add one nfacct rule per IP and then use the nfacct utility to
periodically dump the counters and find for top IPs. Some shell script
should allow want you need. You can also develop your own daemon with
native libnetfilter_acct interfaces to periodically pull the counters
and perform the processing you need.
> the easiest brain-dead solution I can think of is to just create a chain
> with 500 rules in it, and have a cron job to cacluate the bytes
> difference every time it executes.
Instead of this, I'd go nfacct.
> Obviously, this will introduce a
> lot of delays, I'm hoping to have something that basically don't
> affect performance too much and or something to just generates a table
> of ip / accumulative packets / accumulative bytes, and I will be able
> to work with that.
Well, how much is "a lot of delay". I think your performance concerns
need real numbers. I don't think that will be too much as you mention.
next prev parent reply other threads:[~2012-07-25 10:19 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-23 3:22 per host accounting Yucong Sun (叶雨飞)
2012-07-23 6:58 ` Tom van Leeuwen
2012-07-23 8:00 ` Eric Leblond
2012-07-23 22:27 ` Yucong Sun (叶雨飞)
2012-07-25 10:19 ` Pablo Neira Ayuso [this message]
2012-07-25 14:21 ` Peter Phaal
2012-07-25 22:10 ` Bob Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120725101951.GA22430@1984 \
--to=pablo@netfilter.org \
--cc=eric@regit.org \
--cc=netfilter@vger.kernel.org \
--cc=sunyucong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).