Counting elements of an ipset
Jozsef Kadlecsik
kadlec at blackhole.kfki.hu
Fri Mar 10 21:34:32 CET 2006
Hi,
On Fri, 10 Mar 2006, Micah Anderson wrote:
> I'm using ipsets and it appears as if ipsets do not have counters for
> packet matching, you can only count packets that match an entire set.
That's true.
> Is there a way I can get iptables to tell me the packets of a particular
> IP in an ipset?
No, it is not possible. Accounting was not part of the design.
> I can create an ipmap ipset for each individual IP that I want to
> count, and then count each of those set's packet counts, but do I gain
> anything by doing this (ie. does using ipsets save me any memory or
> CPU in this scenario?)
No, you waste memory and CPU cycles.
However, you can use ULOG as a target and log the packets by it. Feeding
mySQL/Postgres by ulogd is easy and then you can create such accounting
info as you wish.
Best regards,
Jozsef
-
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter
mailing list