Double rules for using NETFLOW?

Double rules for using NETFLOW?

[Srinivasa T N]

Hi All,
     I am using ipt_NETFLOW 1.7 on my RHEL 6 (2.6.32) box.  Now if I 
want to accept packet destined for some port and at the same time I want 
it to be accounted also, then I have to use the following rules:

iptables -A INPUT --dport <portnum> -j NETFLOW
iptables -A INPUT --dport <portnum> -j ACCEPT

    This makes that every packet that I accept should have two rules 
(one for accepting and one for accounting).  Don't you people think that 
it will increase the number of rules a packet has to traverse?  Or is my 
understanding wrong?

Regards,
Seenu.

Re: Double rules for using NETFLOW?

[Giles Coochey]

[-- Attachment #1: Type: text/plain, Size: 998 bytes --]

On 02/02/2011 11:01, Srinivasa T N wrote:
> Hi All,
>     I am using ipt_NETFLOW 1.7 on my RHEL 6 (2.6.32) box.  Now if I 
> want to accept packet destined for some port and at the same time I 
> want it to be accounted also, then I have to use the following rules:
>
> iptables -A INPUT --dport <portnum> -j NETFLOW
> iptables -A INPUT --dport <portnum> -j ACCEPT
>
>    This makes that every packet that I accept should have two rules 
> (one for accepting and one for accounting).  Don't you people think 
> that it will increase the number of rules a packet has to traverse?  
> Or is my understanding wrong?
>
umm... more actions on packets = more processing... so yes, Netflow 
accounting will produce a CPU overhead.

No such thing as a free lunch :-)

-- 
Best Regards,

Giles Coochey
NetSecSpec Ltd
NL T-Systems Mobile: +31 681 265 086
NL Mobile: +31 626 508 131
GIB Mobile: +350 5401 6693
Email/MSN/Live Messenger: giles@coochey.net
Skype: gilescoochey




[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5137 bytes --]

Re: Double rules for using NETFLOW?

[Grant Taylor]

On 2/2/2011 4:01 AM, Srinivasa T N wrote:
> I am using ipt_NETFLOW 1.7 on my RHEL 6 (2.6.32) box. Now if I want to
> accept packet destined for some port and at the same time I want it to
> be accounted also, then I have to use the following rules:

I take it that the accounting you want is more than the simple packet / 
byte counters that already exist.

> iptables -A INPUT --dport <portnum> -j NETFLOW
> iptables -A INPUT --dport <portnum> -j ACCEPT
>
> This makes that every packet that I accept should have two rules (one
> for accepting and one for accounting). Don't you people think that it
> will increase the number of rules a packet has to traverse? Or is my
> understanding wrong?

You could do something like this:

iptables -N myChain
iptables -A myChain -j NETFLOW
iptables -A myChain -j ACCEPT

iptables -A INPUT --dport <portnum> -j myChain

Doing this will reduce the number of matches that have to be performed 
and allow the (sub)chain to simply apply actions to the packets.

This might seem like over kill with your simple example, but when you 
start putting multiple matches on each rule, or have more actions in 
sequence (i.e. LOG) you start gaining more quickly.  Further if you have 
other rules that are matching other packets, they will not have to 
traverse the condition that they will not match more than one time.

IPTables gives you a skeleton that you can do a lot of different things 
in.  It's really up to you how you put it together and how you optimize 
rule traversal.

In some ways I could liken IPTables (and brethren) to a simple 
programming language.  As such, it's not the language its self that is 
the limitation, just your imagination on how you use said language.  :-)



Grant. . . .

Re: Double rules for using NETFLOW?

[Srinivasa T N]

On Wednesday 02 February 2011 11:26 PM, Grant Taylor wrote:
> On 2/2/2011 4:01 AM, Srinivasa T N wrote:
>> I am using ipt_NETFLOW 1.7 on my RHEL 6 (2.6.32) box. Now if I want to
>> accept packet destined for some port and at the same time I want it to
>> be accounted also, then I have to use the following rules:
>
> I take it that the accounting you want is more than the simple packet /
> byte counters that already exist.
But how will I have access to the counters from my user land app?
>
>> iptables -A INPUT --dport <portnum> -j NETFLOW
>> iptables -A INPUT --dport <portnum> -j ACCEPT
>>
>> This makes that every packet that I accept should have two rules (one
>> for accepting and one for accounting). Don't you people think that it
>> will increase the number of rules a packet has to traverse? Or is my
>> understanding wrong?
>
> You could do something like this:
>
> iptables -N myChain
> iptables -A myChain -j NETFLOW
> iptables -A myChain -j ACCEPT
>
> iptables -A INPUT --dport <portnum> -j myChain
>
> Doing this will reduce the number of matches that have to be performed
> and allow the (sub)chain to simply apply actions to the packets.
>
> This might seem like over kill with your simple example, but when you
> start putting multiple matches on each rule, or have more actions in
> sequence (i.e. LOG) you start gaining more quickly. Further if you have
> other rules that are matching other packets, they will not have to
> traverse the condition that they will not match more than one time.
>
> IPTables gives you a skeleton that you can do a lot of different things
> in. It's really up to you how you put it together and how you optimize
> rule traversal.
>
> In some ways I could liken IPTables (and brethren) to a simple
> programming language. As such, it's not the language its self that is
> the limitation, just your imagination on how you use said language. :-)
>
>
>
> Grant. . . .
> --
Regards,
Seenu.

Re: Double rules for using NETFLOW?

[Grant Taylor]

On 02/02/11 23:15, Srinivasa T N wrote:
> But how will I have access to the counters from my user land app?

I'd be extremely surprised if there were APIs that you can use to query 
the kernel.  -  Though, I don't work on programming (like that) so I 
don't know first hand.

At the very least, you can find the counters via the output of the 
iptables command.  I.e. I can issue the following command:

    iptables -t filter -L FORWARD -n -v -x

This will give me a packet / byte count (-v) that is exact (-x) that 
have match various rules.  I.e. the above command produced the following 
output:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts      bytes target     prot opt in     out     source 
      destination
  3783934 4488563274 ACCEPT     all  --  eth0   eth1    0.0.0.0/0 
      0.0.0.0/0           state RELATED,ESTABLISHED
  2632183 290464220 ACCEPT     all  --  eth1   eth0    0.0.0.0/0 
     0.0.0.0/0

If you are worried about knowing which rule you want to read the 
counters on, use the comment match extension that will allow you to put 
a comment / string to flag on in the output.  This will allow you to 
grep for that line of output.

There might even be some way via /proc or /sys to find what you are 
asking, but I don't know.



Grant. . . .

Re: Double rules for using NETFLOW?

[Srinivasa T N]

On Friday 04 February 2011 01:44 AM, Grant Taylor wrote:
> On 02/02/11 23:15, Srinivasa T N wrote:
>> But how will I have access to the counters from my user land app?
>
> I'd be extremely surprised if there were APIs that you can use to query
> the kernel. - Though, I don't work on programming (like that) so I don't
> know first hand.
>
> At the very least, you can find the counters via the output of the
> iptables command. I.e. I can issue the following command:
>
> iptables -t filter -L FORWARD -n -v -x
>
> This will give me a packet / byte count (-v) that is exact (-x) that
> have match various rules. I.e. the above command produced the following
> output:
>
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 3783934 4488563274 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> 2632183 290464220 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
>
> If you are worried about knowing which rule you want to read the
> counters on, use the comment match extension that will allow you to put
> a comment / string to flag on in the output. This will allow you to grep
> for that line of output.
>
> There might even be some way via /proc or /sys to find what you are
> asking, but I don't know.
>
>
>
> Grant. . . .
> --
I was interested in knowing programmatic way as the performance is of 
utmost importance to me.

Seenu.