Hi Alex, Inline:
On Wed, Sep 14, 2016 at 12:55:00PM +0300, Abi Askushi wrote: > > > 1. Is there a pmacct plugin to get traffic flows from connection tracking > > > system, like ulogd2 with NFCT plugin? > > > > Not being familiar with this, can you elaborate what it does? An example > > would be much appreciated. > > > > This is done using ulogd2 running with NFCT plugin. Then ulogd probes > events from connection tracking system (events can be filtered: destroy, > new, etc) and can print or store the flows in DB. The flows that can be > fetched are like the output of command "conntrack -L". The pro of this > approach is that you get the real source and destination when have to deal > with NATed traffic. > A very nice example is at > https://home.regit.org/2014/02/logging-connection-tracking-event-with-ulogd/. > The negative side of this approach is how to handle long lasting sessions > that are not fetched (at least I didn't figure out how to do that) in case > the device is rebooted, resulting in lost accounting traffic. I see, tt may be something potentially interesting. Do you think this is something you can contribute upon? > > > 2. NFLOG + uacctd: is there any way to aggregate/filter collected packets > > > with uacctd as received from NFLOG, according to the fwmark value set > > with > > > MARK at iptables ? If no, is there any recommended alternate approach? > > > > No, as i suspect this MARK action does not really mark/stamp the packet > > itself but mangles with an external header. But knowing more precisely > > what this MARK does, we can certainly make it an item we can tag upon, > > or more. Again, i'm not a master of ULOG/NFLOG and hence i'd need (your) > > support. > > > As you said, the MARK is an association that is done from netfilter and it > does not affect packet header. > This means that I'm left with the option to alter packet header to be able > to tag it. > Can you recommend which packet header to alter to be able to tag? I'd say the IP ToS field may be the most intuitive/easy one. Unfortunately it is rather intrusive, ie. you may be interested in the original ToS value. Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
