blob: 30c3f4c0f4327000b1115529ff59031248d42ba7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Flow based network accounting with Linux
Many networking scenarios require some form of network accounting that goes
beyond some simple packet and byte counters as available from the 'ifconfig'
output.
When people want to do network accouting, the past and current Linux kernel
didn't provide them with any reasonable mechanism for doing so.
Network accounting can generally be done in a number of different ways. The
traditional way is to capture all packets by some userspace program. Capturing
can be done via a number of mechanisms such as PF_PACKET sockets, mmap()ed
PF_PACKET, ipt_ULOG, or ip_queue. This userspace program then analyzes the
packets and aggregates the result into per-flow data structures.
Whatever mechanism used, this scheme has a fundamental performance limitation,
since all packets need to be copied and analyzed by a userspace process.
The author has implemented a different approach, by which the accounting
information is stored in the in-kernel connection tracking table of the
ip_conntrack stateful firewall state machine. On all firewalls, that
state table has to be kept anyways - the additional overhead introduced by
accounting is minimal.
Once a connection is evicted from the state table, it's accounting relevant
data is transferred to userspace to a special accounting daemon for further
processing, aggregation and finally storage in the accounting log/database.
|
