R: How to count bytes for one chain?
Patrick Schaaf
bof@bof.de
Sat, 12 Jan 2002 10:52:03 +0100
> > > a) get the total bytes passed through that chain (it
> > consists of more than 1
> > > rule!)
> >
> > Add this:
> > iptables -I your_chain
> >
>
> OK, I did this:
You obviously didn't try my suggestion. You think I did not understand
your problem. That's fine with me, but let me rant for one paragraph:
Please have the courtesy to read and understand, this time. It took me
10 minutes to compose this mail. Take at least that much time to
read it, and TRY OUT what I suggest.
Thanks in advance. On with the show.
> my accounting chain is the first thing in every main chain:
> FORWARD INPUT and OUTPUT.
>
> My problem is to catch the byte count for my accounting chain, because this
> one doesn't show (like INPUT FORWARD and OUTPUT do) the total byte count
> when invoked with iptables -L -nv!!!
User defined chains have no chain total counters. Also, the global counters
on INPUT, FORWARD, and OUTPUT, only count those packets which are not handled
by rules in the chains - i.e. packets which hit the chain's default policy.
You mistook the shown count for a total, because your chains have no
terminating rules in them - thus each packet hits the standard chain default.
My command above, gives you what you want: a count of the packets (and bytes)
handled by your_chain. If you apply it, you will find the total count
of packets passed to your_chain, by calling
iptables -L -n -v your_chain | head -3 | tail -1
What you probably don't understand, is that EACH MATCHING RULE LINE counts,
independant of its target. There are targets like LOG, which don't terminate
the search. If you have
iptables -A FORWARD -m something -j LOG
iptables -A FORWARD -m something -j ACCEPT
and "-m something" applies, the counters on BOTH rules will increment.
My command above, uses this fact: it has no match criteria (thus always
matches and counts), and no target (thus no action besides the counting).
Put in as the first rule (that's what -I does over -A), in any chain,
it will count each packet which enters the chain.
Thus, if I really understand what you want, your problem is solved.
Right? Please try it out.
> Actually I should be counting every sigle rule's bytes for getting the
> chain's total!!
That's not really accurate, because, as I said, each matching rule counts.
Thus, a count made by adding the individual counters, has the possibility
to overcount. You'd have to prove that each rule terminates, to make such
a count correct.
To recapitulate:
> This is an output for my accounting chain:
>
> Chain accounting (3 references)
> pkts bytes target prot opt in out source
> destination
> 2260 219K tcp -- * * 192.168.0.124
> 192.168.0.138 tcp dpt:8080
> 27145 1882K all -- * eth1 192.168.0.124
> 0.0.0.0/0
> 29441 36M all -- eth1 * 0.0.0.0/0
> 192.168.0.124
> 2512 2503K tcp -- * * 192.168.0.138
> 192.168.0.124 tcp spt:8080
>
> ... and this one is for a "standard" chain:
>
> Chain OUTPUT (policy ACCEPT 277K packets, 97M bytes)
> pkts bytes target prot opt in out source
> destination
> 277K 97M acc_IN all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 0 0 LogScarta tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpts:137:139
>
> Do you see that the OUTPUT chain tells me also how many bytes have passed
> it??? And that "accounting" doesn't display that information???
The OUTPUT chain tells you that 277K packets have fallen off the
end of the OUTPUT chain, because no rule had a terminating target.
If you put in "iptables -A OUTPUT -j ACCEPT", you will no longer
see the global counter increment.
In your special case, you can guess the number from the counters on
the acc_IN line of the OUTPUT chain (btw, why _IN if it's the OUTPUT chain?
seems a misnomer...)
If the acc_IN chain is jumped to from OUTPUT and INPUT, you could add
the counters from all those calling sites, and have an accurate count.
Or you could just
iptables -I acc_IN
like I suggested, and use the single counter on that single new first
rule line of your acc_IN chain.
Got it?
best regards
Patrick