[announce] iptables + rrdtool
Guy Fraser
guy at incentre.net
Thu Nov 10 18:01:32 UTC 2005
On Thu, 2005-10-11 at 15:17 +0000, Timothy Murphy wrote:
> iptgraph sf.net project wrote:
>
> > We would like to announce our project iptgraph. It draws network
> > throughput (using rrdtool) based on the iptables rules. We welcome any
> > comments/suggestions to our project.
>
> I don't know much about RRD/rrdtool ,
> and find it incredibly difficult to use,
> so I would certainly welcome any simplifying tools.
>
> However, I don't really see why it is necessary to add kernel patches?
> Couldn't one get the necessary information from iptables logs?
>
I have not had a chance to go over the kernel patch, but from looking
at the source code for the daemon, it appears that the kernel patches
are designed to create about 40 unsigned long octet accumulators and
about another 40 unsigned long counters in kernel space that are
accessed via /proc/net/ipt_graph .
Is there a better way to access the accumulators and counters than
using /sbin/iptables -vxL and parsing the output?
Accessing the counters from proc seems to be an efficient method
of accessing (40*2*8)=640 bytes or so of data, rather than parsing and
translating iptables output.
It may be a better idea to provide the patch directly to the kernel
developers to muse over.
A suggestion I would make is to double the counters and separate the
incoming and outgoing traffic, but I will have to admit I did not
completely analyze the source code to determine exactly what is
tracked.
More information about the users
mailing list