blob: 27437add082b81e86ec8985f16b763f152b165b3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
% Registration Flow based network accounting with Linux
% [2]Register/Submit Proposal Harald Marc Welte (laforge@gnumonks.org)
Many networking scenarios require some form of
network accounting that goes beyond some
simple packet and byte counters as available
from the `ifconfig' output.
When people want to do network accouting, the
past and current Linux kernel didn't provide
them with any reasonable mechanism for doing
so.
Network accounting can generally be done in a
number of different ways. The traditional way
is to capture all packets by some userspace
program. Capturing can be done via a number of
mechanisms such as \ident{PF_PACKET} sockets, \ident{mmap()}ed
\ident{PF_PACKET}, \ident{ipt_ULOG}, or \ident{ip_queue}. This
userspace program then analyzes the packets
and aggregates the result into per-flow data
structures.
Whatever mechanism used, this scheme has a
fundamental performance limitation, since all
packets need to be copied and analyzed by a
userspace process.
The author has implemented a different
approach, by which the accounting information
is stored in the in-kernel connection tracking
table of the \ident{ip_conntrack} stateful firewall
state machine. On all firewalls, that state
table has to be kept anyways---the additional
overhead introduced by accounting is minimal.
Once a connection is evicted from the state
table, its accounting relevant data is
transferred to userspace to a special
accounting daemon for further processing,
aggregation and finally storage in the
accounting log/database.
|
