Hi Dennis, On Mon, Oct 29, 2012 at 03:47:05PM +0100, Dennis Jacobfeuerborn wrote:
> Another way of putting it is that it would be nice to have a setting "if > the packet doesn't come from go to any of the local networks stop all > processing and ignore it". Clear, although a cross-check with the selected aggregation method is going to be required in order to validate the tuple is null. Currently a filter is in place only for tuples with zero counters, ie. bytes AND packets AND flows. What you are proposing could be a good complement to that, i'm noting that down on my todo list. > I don't have to deal with 90 networks but still a significant number. Also > the problem is that there is now a duplication of information as I have to > put all the networks both in the networks file and the aggregate filter and > keep them in sync. If filtering on source/destination, say, IP addresses, you can use two plugins: one for incoming traffic, the other for outgoing traffic: this avoids you the duplication of defining both [aggregate|pre_tag]_filter and networks_file. Consider two plugins can write to the same SQL table - if you are using a SQL plugin. If you want to use a single plugin, so you are forced into a - say - "src_host, dst_host" aggregation method then it does not make sense to go for a [aggregate|pre_tag]_filter. > I'm not sure if I understand how to use pre_tag_map or MAC filtering in my > use-case. Let's assume I have the uplink port to my ISP mirrored to my > monitoring system and I'm accounting on that interface and my local > networks are A, B, C and D. How can I only aggregate the in/out traffic for > IPs in these networks without resorting to aggregate_filter? Not without resorting to an aggregate_filter but using it to filter against the MAC layer instead. Let's say you can trust (or have control over) your device MAC address connected to the uplink port of your ISP - then you can use that to determine what is ingress or egress traffic without having to involve the IP layer (ie. your local networks). This is all suitable for a configuration with two plugins, ie.: .. plugins: X[a], X[b] .. ! aggregate_filter[a]: ether src host <..> aggregate[a]: src_host .. ! aggregate_filter[b]: ether dst host <..> aggregate[b]: dst_host .. Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
