ipt_ACCOUNT

ipt_ACCOUNT is a high performance local network accounting system written for the Linux netfilter/iptables system.

Details

ipt_ACCOUNT is designed to be queried for data every second or at least every ten seconds. It is written as kernel module to handle high bandwidths without packet loss.

The largest possible subnet size is 24 bit, meaning f.e. 10.0.0.0/8 networks. Therefore it's able to use a fixed internal data structures which speeds up the processing speed for each packet. Furthermore, accounting data for one complete 192.168.1.X/24 network takes 4kb of memory. Memory for 16 or 24 bit networks is only allocated when needed.

The data is queried using the userspace libipt_ACCOUNT library. There is no /proc interface as it would be too slow for continuous access. The read&flush query operation is the fastest, as no internal data snapshot needs to be created&copied for all data. Use the "read" operation without flush only for debugging purposes!

To optimize the kernel<->userspace data transfer a bit more, the kernel module only transfers information about IPs, where the src/dst packet counter is not 0. This saves precious kernel time.

Updates

2008-06-13: Version 1.13 of ipt_ACCOUNT released

• Support for iptables 1.4.0 and 1.4.1
• Ability to delete rules by rule definition
• iptables 1.3.x is no longer supported

2008-03-10: Version 1.12 of ipt_ACCOUNT released

• Support for kernel 2.6.24 by Pontus Lundkvist
• Fix two warnings for kernel 2.6.23

2008-02-29 Version 1.3 of libipt_ACCOUNT released

• GCC 4 compile fixes

Download

Download - pom-ng-ipt_ACCOUNT-1.13.tgz - libipt_ACCOUNT-1.3.tar.gz Contributions Tool for storing traffic data into a MySQL table by "parafin": - accountstat-0.1.tar.bz2

Older versions - pom-ng-ipt_ACCOUNT-1.12.tgz - pom-ng-ipt_ACCOUNT-1.11.tgz - pom-ng-ipt_ACCOUNT-1.10.tgz - pom-ng-ipt_ACCOUNT-1.9.tgz - iptables-ext-ipt_ACCOUNT-1.2.patch - iptables-ext-ipt_ACCOUNT.patch - libipt_ACCOUNT-1.2.tar.gz - libipt_ACCOUNT-1.1.tar.gz - libipt_ACCOUNT-1.2-1.src.rpm - libipt_ACCOUNT-1.1-1.src.rpm

Installation

- Install the pom-ng-ipt_ACCOUNT archive in your patch-o-matic-ng directory
- Patch your kernel and userspace iptables tool: "./runme ACCOUNT"
- Recompile the kernel and iptables

- Unpack the libipt_ACCOUNT library archive
- Run autoreconf -f
- ./configure && make && make install

You can also install & build the provided .src.prm

Usage

It takes two parameters:
--addr is the subnet which is accounted for
--tname is the table name where the information is stored

The data can be queried later using the libipt_ACCOUNT userspace library or by the "iptaccount" tool which is part of the libipt_ACCOUNT package.

A special subnet is "0.0.0.0/0": All data is stored in the src_bytes and src_packets structure of slot "0". This is useful if you want to account the overall traffic to/from your internet provider.

Here's an example:
iptables -A OUTPUT -j ACCOUNT --addr 0.0.0.0/0 --tname all_outgoing
iptables -A OUTPUT -j ACCOUNT --addr 192.168.1.0/24 --tname sales

This creates two tables called "all_outgoing" and "sales" which can be queried using the userspace library/iptaccount tool.

What can I do with the userspace "iptaccount" tool?
"iptcount" is a reference implementation to show the usage
of the libipt_ACCOUNT library. It features the following commandline options:

[-u] show kernel handle usage
[-h] free all kernel handles (experts only!)
[-a] list all table names

[-l name] show table data
[-f] flush data after show
[-c] loop every second (abort with CTRL+C)

Here's the output of an iptaccount session:

ipt_ACCOUNT userspace accounting tool v1.0

Showing table: outgoing
Run #0 - 1 item found
IP: 0.0.0.0 SRC packets: 4 bytes: 1128 DST packets: 0 bytes: 0
Finished.

Contact

If you have any problems using the library, feel free to ask us via email at: