Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 94139027 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: add extended accounting infrastructure over nfnetlink 



We currently have two ways to account traffic in netfilter:

- iptables chain and rule counters:

 # iptables -L -n -v
Chain INPUT (policy DROP 3 packets, 867 bytes)
 pkts bytes target     prot opt in     out     source               destination
    8  1104 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

- use flow-based accounting provided by ctnetlink:

 # conntrack -L
tcp      6 431999 ESTABLISHED src=192.168.1.130 dst=212.106.219.168 sport=58152 dport=80 packets=47 bytes=7654 src=212.106.219.168 dst=192.168.1.130 sport=80 dport=58152 packets=49 bytes=66340 [ASSURED] mark=0 use=1

While trying to display real-time accounting statistics, we require
to pool the kernel periodically to obtain this information. This is
OK if the number of flows is relatively low. However, in case that
the number of flows is huge, we can spend a considerable amount of
cycles to iterate over the list of flows that have been obtained.

Moreover, if we want to obtain the sum of the flow accounting results
that match some criteria, we have to iterate over the whole list of
existing flows, look for matchings and update the counters.

This patch adds the extended accounting infrastructure for
nfnetlink which aims to allow displaying real-time traffic accounting
without the need of complicated and resource-consuming implementation
in user-space. Basically, this new infrastructure allows you to create
accounting objects. One accounting object is composed of packet and
byte counters.

In order to manipulate create accounting objects, you require the
new libnetfilter_acct library. It contains several examples of use:

libnetfilter_acct/examples# ./nfacct-add http-traffic
libnetfilter_acct/examples# ./nfacct-get
http-traffic = { pkts = 000000000000,   bytes = 000000000000 };

Then, you can use one of this accounting objects in several iptables
rules using the new nfacct match (which comes in a follow-up patch):

 # iptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name http-traffic
 # iptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name http-traffic

The idea is simple: if one packet matches the rule, the nfacct match
updates the counters.

Thanks to Patrick McHardy, Eric Dumazet, Changli Gao for reviewing and
providing feedback for this contribution.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 80e60e67

include/linux/netfilter/Kbuild

+1 −0
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ header-y += nf_conntrack_tcp.h 
header-y += nf_conntrack_tuple_common.h

header-y += nf_nat.h

header-y += nfnetlink.h

header-y += nfnetlink_acct.h

header-y += nfnetlink_compat.h

header-y += nfnetlink_conntrack.h

header-y += nfnetlink_log.h

include/linux/netfilter/nfnetlink.h

+2 −1
Original line number Diff line number Diff line
@@ -48,7 +48,8 @@ struct nfgenmsg { 
#define NFNL_SUBSYS_ULOG		4

#define NFNL_SUBSYS_OSF			5

#define NFNL_SUBSYS_IPSET		6

#define NFNL_SUBSYS_COUNT		7

#define NFNL_SUBSYS_ACCT		7

#define NFNL_SUBSYS_COUNT		8



#ifdef __KERNEL__

include/linux/netfilter/nfnetlink_acct.h

0 → 100644
+36 −0
Original line number Diff line number Diff line 
#ifndef _NFNL_ACCT_H_

#define _NFNL_ACCT_H_



#ifndef NFACCT_NAME_MAX

#define NFACCT_NAME_MAX		32

#endif



enum nfnl_acct_msg_types {

	NFNL_MSG_ACCT_NEW,

	NFNL_MSG_ACCT_GET,

	NFNL_MSG_ACCT_GET_CTRZERO,

	NFNL_MSG_ACCT_DEL,

	NFNL_MSG_ACCT_MAX

};



enum nfnl_acct_type {

	NFACCT_UNSPEC,

	NFACCT_NAME,

	NFACCT_PKTS,

	NFACCT_BYTES,

	NFACCT_USE,

	__NFACCT_MAX

};

#define NFACCT_MAX (__NFACCT_MAX - 1)



#ifdef __KERNEL__



struct nf_acct;



extern struct nf_acct *nfnl_acct_find_get(const char *filter_name);

extern void nfnl_acct_put(struct nf_acct *acct);

extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct);



#endif /* __KERNEL__ */



#endif /* _NFNL_ACCT_H */

net/netfilter/Kconfig

+8 −0
Original line number Diff line number Diff line
@@ -4,6 +4,14 @@ menu "Core Netfilter Configuration" 
config NETFILTER_NETLINK

	tristate



config NETFILTER_NETLINK_ACCT

tristate "Netfilter NFACCT over NFNETLINK interface"

	depends on NETFILTER_ADVANCED

	select NETFILTER_NETLINK

	help

	  If this option is enabled, the kernel will include support

	  for extended accounting via NFNETLINK.



config NETFILTER_NETLINK_QUEUE

	tristate "Netfilter NFQUEUE over NFNETLINK interface"

	depends on NETFILTER_ADVANCED

net/netfilter/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o 
obj-$(CONFIG_NETFILTER) = netfilter.o



obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o

obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o

obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o

obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o