Hello Paul. I'm working at an ISP and am responsible for improving IP
accounting in the Linux kernel. So far I've finished a patch to add
tags to accounting and firewall rules. This is to more selectively
read and reset the counters. I'll explain more below, first some comments
on your work:
> Why:
> o Simpler chain management
> o Ability to invert rules
> o 64-bit counters on x86
> o More flexible packet accounting
> o Control over fragments
> o Can specify protocols other than ICMP/TCP/UDP.
> o Packet `marking' for use with Quality of Service when it
> hits the mainstream 2.1 series.
Hmm. A lot of nice features. They don't solve the problems that I have,
but 64-bit counters are important on fast links, simpler chain management
is always better, the possibility to have multiple accounting chains is
almost what I need... Really good work!
> o Now has a (thorough) HOWTO.
Now I know what TOS masks are for and how to use them... very good. It
looks like you've used linuxdoc-sgml to make the HOWTO. Is there an
HTML version or the SGML sources available somewhere?
> o Convenience scripts `ipchains-save' and `ipchains-restore'.
Is there a reason to use ipchains-{save,restore} instead of a hand-
written script that flushes the chains and inserts the rules? I'm not
quite seeing the point here.
To come to my first bug report: I'm not sure, but struct ip_fwnew has
a ip_chainlabel and a struct ip_fwuser, and struct ip_fwuser has also
a ip_chainlabel. Isn't this one label too many?
Next a question about ipfw(4). In the BUGS section, it says
There is no way to read and reset a single chain; stop
packets traversing the chain and then list, reset and
restore traffic.
I don't understand what you mean here. The only way I can think of is to
replace the chain with a fresh one, such that the old chain is no
longer referenced. Then you can read the counters in the old chain and
reset them afterwards. The next time you replace the new chain with the
old chain and so on. This actually looks like a working solution, but it's
not ideal yet.
What I would like to have is an /proc/net/ip_fwchains directory with one
file per chain in it. But I don't know enough about the /proc filesystem
to implement it myself.
I think I have to explain now why I need to atomically read and reset a
single chain. Basically we're using three sets of accounting rules on
our routers. One is for the "normal" accounting. The second and the third
are for bandwidth computations. The rules in the second set are read (and
reset) every 30 seconds, the others only every 10 minutes.
I've solved this with a kernel patch that allows to specify a tag with
each accounting rule. All rules in the first set have tag 0, all in the
second set tag 1 and so on. There are two new commands to list all rules
with a specified tag and to read and reset the counters of one specific
rule.
A similar approach can be used with the IP chains code. The tags are
replaced with the different chains. The only thing left would be to
implement a new command to list a single chain and optionally reset the
counters while reading them. But a /proc/net/ip_fwchains directory seems
to be the better solution. What do you think about it?
-- Jan EchternachDelta Internet http://www.DInet.de/ Tel. +49 2932 91 6 161 Zeit UmZuDenken! Fax. +49 2932 91 6 230