On 07/08/2013 01:10 PM, Sylvain Afchain (Code Review) wrote:
> Sylvain Afchain has posted comments on this change.
> 
> Change subject: Add method to get iptables traffic counters
<snip>
> --
> To view, visit https://review.openstack.org/35624

Hi Sylvain,

Instead of trying to ask questions directly in the review itself (since it will 
mess-up formatting) I'll just send this to you and the list since I had some 
questions on the traffic counter changes you've been doing.

First, thanks for working on this, it's definitely something I'm interested in, 
and I'm trying to review all your changes.

Second, do you have more than just the short description from the blueprint for 
how the iptables chains/rules will look like when created?  I'm still a little 
confused with this change (above) and how it's matching chains to get 
packet/byte statistics.  I'm thinking it can be done within a single chain so 
that you can do an 'iptables -L $chain' call to get just what you need, instead 
of parsing the entire table.

For example, I did something similar in Nova (out of tree), and it used a 
single chain per-VM, such that you could get it's statistics with a single 
iptables call like:

(sorry if this wraps)
$ sudo iptables -t mangle -L nova-meter-output-91 -n -v -x [-Z]
Chain nova-meter-output-91 (1 references)
    pkts      bytes target     prot opt in     out     source               
destination         
  805210 247931149            all  --  *      *       0.0.0.0/0            
0.0.0.0/0        /* inst-91 packets transmitted total */ 
   15510   964648             all  --  *      *       0.0.0.0/0            
x.y.0.0/16
   21282  3075403             all  --  *      *       0.0.0.0/0            
x.z.0.0/16
   [...]

None of the rules in the chain has a jump target, so they simply count 
packets/bytes as they pass through, and the chain is called from a single 
location based on IP address, so in iptables-save format it looks like this:

-A nova-meter-output -s $my_ip/32 -i bridge1 -j nova-meter-output-91 
-A nova-meter-output-91 -m comment --comment "inst-91 packets transmitted total"
-A nova-meter-output-91 -d x.y.0.0/16
-A nova-meter-output-91 -d x.z.0.0/16
[...]

Obviously with Neutron, and doing this at the router egress, things change, but 
I think it could still be done in a single OUTPUT chain in the filter table.

Thoughts?

-Brian

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to