Re: iptables: reading counters
On Sat, Jan 08, 2005 at 08:00:44PM -0800, Mike Mestnik wrote:
>
> --- Marcin Owsiany <porridge@debian.org> wrote:
>
> > On Fri, Jan 07, 2005 at 10:00:36PM -0800, Mike Mestnik wrote:
> > > See '-n' in most any man page(including iptables). Then use DNS or
> > > hosts/networks/services for your host/net/port name resolving.
> >
> > Again, this is not a problem of symbolic vs numerical address matching.
> > See my other post..
> >
> The best I can figure then is that you wan't an alias for...
> $7 == "eth2" && $8 == "eth1" && $9 == "192.168.254.2"
>
> In perl it would be something like...
> $foo-out = "eth2[[:space:]]+eth1[[:space:]]+192.168.254.2";
> if ~/$foo-out/ ...
We're getting closer :-)
I want to somehow stick a literal "foo-out" into the line that "iptables
-L" produces, so than I can match it with:
if (/\sfoo-out\s*$/) {...
What I would like is a --label argument for the ACCEPT rule, which would
act similarily to the --log-prefix rule (in terms of the iptables -L
output only, I DON'T want any logging).
This way the statistics collecting script will not need to be concerned
with the low-level stuff like actual interface names, exact ip addresses
or port numbers. If all it has to deal with was such abstract "labels"
and the byte/packet counts, it could be made very compact, like:
#!/usr/bin/perl -n
feed_rrd($3, $1, $2) if /^\s*(\d+)\s+(\d+).*\s(\w+)$/ and -f "$3.rrd";
# $1 and $2 would be the counts, and $3 would be the label
Compare this to the maintainance effort required when you need to update
the script every time you modify or add a rule...
Marcin
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Reply to: