On Wed, Jul 04, 2001 at 07:10:56PM +0200, Alexander Reelsen wrote: > On Tue, Jul 03, 2001 at 05:44:42PM -0500, Chad C. Walstrom wrote: > > The powers that be, those that provide my paycheck, didn't like the > > ipac-ng graphics and wanted something prettier. > > Welcome to the club. :) You might have heard from hoth, an rrdtool > based accounting tool for ipchains. Incidentally written by me ;-) I had heard of hoth[1], but I didn't really get a chance to check it out. Partly because I did notice that you said it wasn't ready for Linux 2.4 yet. > So, if you have either patience or you're able to hack perl you're > invited to join me and to make the perfect[tm] rrdtool based > iptables accounting tool. I'll take a look at it and let you know. It's obvious that I'll have to hack on something, so I may as well help you. ;-) > Last, but not leased you asked for intelligent accounting rules. My > hint would be to have three chains, acct_in, acct_out, acct_both and > to have tree style subchains for networks like (not an ascii art > freak, sorry) The sub-chains for subnets is a very good idea. I had considered that as well, but I think that even a few stops for any packet in an accounting chain is a bit too much. We should really be able to use one rule that shoves a copy of each packet into a non-blocking que where it can be fetched and analyzed by some userspace program. I've not looked nor run any benchmarks to support this idea, but it seems logical enough. That's partly why I was so intrigued by fiprad[2]. I do agree that tree-style rules are nice, but I really only want to use them for a "useful" purpose, such as blocking @home users. ;-) (I wish.) -- Chad Walstrom <chewie@wookimus.net> | a.k.a. ^chewie http://www.wookimus.net/ | s.k.a. gunnarr Key fingerprint = B4AB D627 9CBD 687E 7A31 1950 0CC7 0B18 206C 5AFD
Attachment:
pgpyuysWFOR3E.pgp
Description: PGP signature