Place for ipt_ACCOUNT/ipt_NETFLOW

Place for ipt_ACCOUNT/ipt_NETFLOW

[Srinivasa T N]

Hi All,
     Is it possible for me to place rules related to accounting after 
filter table in the INPUT chain so that the accounting takes place only 
on the packets I am accepting in my box?

Regards,
Seenu.

Re: Place for ipt_ACCOUNT/ipt_NETFLOW

[Bob Miller]

On Thu, 2011-02-03 at 14:20 +0530, Srinivasa T N wrote:
> Hi All,
>      Is it possible for me to place rules related to accounting after 
> filter table in the INPUT chain so that the accounting takes place only 
> on the packets I am accepting in my box?

According to the nf-packet-flow diagram I have been referring too, the
INPUT chain on the filter table is the place to count packets destined
only for the box.
If that is not correct, I hope someone says so, because it would explain
some confusion I have been having lately...

> 
> Regards,
> Seenu.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Bob Miller
334-7117/660-5315
http://computerisms.ca
bob@computerisms.ca
Network, Internet, Server,
and Open Source Solutions

Re: Place for ipt_ACCOUNT/ipt_NETFLOW

[Grant Taylor]

On 02/03/11 02:50, Srinivasa T N wrote:
> Is it possible for me to place rules related to accounting after filter
> table in the INPUT chain so that the accounting takes place only on the
> packets I am accepting in my box?

I hope I'm understanding you correctly.

It sounds like you are wanting to do your accounting after you filter 
out most of the chaff / noise / IBR that you don't want.  Correct?

If this is the case, why don't you have your filtering rules DROP / 
REJECT / otherwise discard the packets you don't want and then have a 
follow up rule that ACCEPTS the packet and do your accounting there?

At least if I understand you correctly, filtering packets before they 
hit your accounting rule should do what you are wanting.



Grant. . . .

Re: Place for ipt_ACCOUNT/ipt_NETFLOW

[Srinivasa T N]

On Friday 04 February 2011 01:48 AM, Grant Taylor wrote:
> On 02/03/11 02:50, Srinivasa T N wrote:
>> Is it possible for me to place rules related to accounting after filter
>> table in the INPUT chain so that the accounting takes place only on the
>> packets I am accepting in my box?
>
> I hope I'm understanding you correctly.
>
> It sounds like you are wanting to do your accounting after you filter
> out most of the chaff / noise / IBR that you don't want. Correct?

Yes, you are correct.
>
> If this is the case, why don't you have your filtering rules DROP /
> REJECT / otherwise discard the packets you don't want and then have a
> follow up rule that ACCEPTS the packet and do your accounting there?
>
> At least if I understand you correctly, filtering packets before they
> hit your accounting rule should do what you are wanting.
>
But adding rules to discard the unwanted traffic and then do an 
accounting for the rest of the packets in not a good idea.  I may not 
even know what type of packets may arrive and writing rules to discard 
each of unwanted packets is difficult.  So, I prefer to write rules to 
accept only the packets that are required and then drop the other 
packets.  I wanted to do the accounting only for packets that I accept.
>
>
> Grant. . . .
> --

Regards,
Seenu.

Re: Place for ipt_ACCOUNT/ipt_NETFLOW

[Srinivasa T N]

On Thursday 03 February 2011 10:25 PM, Bob Miller wrote:
> On Thu, 2011-02-03 at 14:20 +0530, Srinivasa T N wrote:
>> Hi All,
>>       Is it possible for me to place rules related to accounting after
>> filter table in the INPUT chain so that the accounting takes place only
>> on the packets I am accepting in my box?
>
> According to the nf-packet-flow diagram I have been referring too, the
> INPUT chain on the filter table is the place to count packets destined
> only for the box.
> If that is not correct, I hope someone says so, because it would explain
> some confusion I have been having lately...
You are correct in saying that the packets destined for my box come in 
INPUT chain.  But, I will have the rules to filter out unwanted stuff in 
that table and do the accounting only for those packets which pass 
through these rules and reach upper layer.
>
>>
>> Regards,
>> Seenu.
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> Bob Miller
> 334-7117/660-5315
> http://computerisms.ca
> bob@computerisms.ca
> Network, Internet, Server,
> and Open Source Solutions
>
>
Regards,
Seenu.

Re: Place for ipt_ACCOUNT/ipt_NETFLOW

[Grant Taylor]

On 02/03/11 23:22, Srinivasa T N wrote:
> But adding rules to discard the unwanted traffic and then do an
> accounting for the rest of the packets in not a good idea. I may not
> even know what type of packets may arrive and writing rules to discard
> each of unwanted packets is difficult. So, I prefer to write rules to
> accept only the packets that are required and then drop the other
> packets. I wanted to do the accounting only for packets that I accept.

Do the accounting on the rules that you write to decide what traffic to 
accept.



Grant. . . .

Re: Place for ipt_ACCOUNT/ipt_NETFLOW

[Srinivasa T N]

On Saturday 05 February 2011 09:08 AM, Grant Taylor wrote:
> On 02/03/11 23:22, Srinivasa T N wrote:
>> But adding rules to discard the unwanted traffic and then do an
>> accounting for the rest of the packets in not a good idea. I may not
>> even know what type of packets may arrive and writing rules to discard
>> each of unwanted packets is difficult. So, I prefer to write rules to
>> accept only the packets that are required and then drop the other
>> packets. I wanted to do the accounting only for packets that I accept.
>
> Do the accounting on the rules that you write to decide what traffic to
> accept.
>
This will double the number of rules a packet has to traverse (One rule 
for accounting and one rule for accept).  Is there are other alternative?

Regards,
Seenu.

Re: Place for ipt_ACCOUNT/ipt_NETFLOW

[Grant Taylor]

On 02/07/11 00:54, Srinivasa T N wrote:
> This will double the number of rules a packet has to traverse (One rule
> for accounting and one rule for accept). Is there are other alternative?

I'd have to see an example of your rules to say for sure...

I'm using the counters of the number of packets / bytes that are matched 
by the rule for accounting.  I'm not adding any additional rules.

Further, you can engineer your rule structure so that the fewest rules / 
tests per rule are traverse by the largest number of packets.



Grant. . . .