Linux-2.6.32 Kernel Compile traffic counter NFACCT

Source: Internet
Author: User

Transplant the Linux-3.17 function to the Linux-0.01!

My time is in my control, this is my greatest wealth! More than 9 in the morning to the company, until work, this period of time paid run over, I will not estimate their own things, home from work until the family to sleep, this period of time paid run over, I will not take into account their own things, after that is the shortness of breath of the night, my wish engraved in God's throat, Hope to calmly face the fear by overthrowing the wall of denial that is the collateral of the human nature around us (this is described as Death metal)!

All right! Masochism begins! And look and Cherish:

NetFilter as early as the xtables-addons-1.46 (earlier version I did not personally test, so inconvenient to tell) there is an account module built into the Iptables framework to support the number of flowmeters, it is used as follows:

Iptables-a XXX (any matches)-j account--addr 0.0.0.0/0--tname $acctname

The function is that all traffic matching any matches is counted into the acctname counter. You can do this by:

Iptaccount-l $acctname

To display the traffic information. But it has a drawback, that is, the account as a target of iptables exist, that is, traffic statistics, a iptables rule can no longer do anything else. Sometimes, you always want the number of meters to exist as an "extra" action, such as recording at the same time as a drop, or logging at the same time as Nat. It's better to have the number of meters as match, because match can have more than one! In addition, ipset-6.23 also supports the number of flowmeters, but this article does not talk about that. This article is about the NFACCT.

NFACCT is a project of NetFilter. I have to be angry again! NetFilter on the bleak project a lot, nfacct really not sad, but at least it is not available on the Linux 2.6.32, in fact, because NFACCT project there is no built-in kernel module, that is, NetFilter now only responsible for user-state module, As for the kernel part, we had to wait for the Linux kernel trunk tree to support, and I checked the data, found in 3.3 and later in the version to give the NFACCT kernel state support. As for the NFACCT user-state code, the routine Configure/make install can be directly compiled and installed, giving the illusion that it is available, but when you use the Nfacct add test, you will get an error: Wrong parameters!

2.6.32 there is no NFACCT kernel part of the support, so netlink error. The next thing to do is porting the 3.3 version of the NFNETLINK_ACCT kernel module to the 2.6.32 kernel. I chose version 3.3 because it is the most recent support NFACCT kernel from the 2.6.32 version, although the kernel API may change, but at least the porting effort can be minimized.

Before I started, I gave the directory tree structure of my compiled environment:

|--iptables-1.4.21.tar.bz2

|--kernel

| |--Net

|  | '--NetFilter

|      | |--Makefile

|      | |--nfnetlink_acct.c

|      | |--nfnetlinkacct.h

|      | |--NFNETLINK.C

|      | |--nfnetlink.h

|      | |--xt_nfacct.c

|      | '--xt_nfacct.h

| '--README

|--libnetfilter_acct-1.0.2.tar.bz2

'--nfacct-1.0.1.tar.bz2

IPTABLES-1.4.21.TAR.BZ2 is currently the latest iptables version, 2.6.32 directly can be compiled and installed, NFACCT-1.0.1.TAR.BZ2 is the user-state part of NFACCT, dependent on Libnetfilter_ ACCT-1.0.2.TAR.BZ2, both of which can be successfully compiled installation, the rest is the kernel state work, placed in my new kernel directory, where the files from the Linux 3.3 kernel:

NFNETLINK_ACCT.C:CP $3.3/net/netfilter/nfnetlink_acct.c net/netfilter/nfnetlink_acct.c

The places where this file needs to be modified are:

1. Change the nfnetlink.h absolute path of the include file to the relative path, which is the directory.

2. Change the nfnetlink_acct.h absolute path of the include file to a relative path, that is, the nfnetlinkacct.h of this directory

3. Change Kfree_rcu to Kfree, or redefine Kfree_rcu

NFNETLINKACCT.H:CP $3.3/include/linux/netfilter/nfnetlink_acct.h net/netfilter/nfnetlinkacct.h

nfnetlink.c:cp/lib/modules/' uname-r '/build/net/netfilter/nfnetlink.c net/netfilter/nfnetlink.c

The places where this file needs to be modified are:

1. Change the nfnetlink.h absolute path of the include file to the relative path, which is the directory.

nfnetlink.h:cp/lib/modules/' uname-r '/build/include/linux/netfilter/nfnetlink.h net/netfilter/nfnetlink.h

The places where this file needs to be modified are:

1. Define the new NetLink subsystem:

#define NFNL_SUBSYS_IPSET 6

#define NFNL_SUBSYS_ACCT 7

#define NFNL_SUBSYS_COUNT 8

Note that the purpose of porting this file to the current compiled directory is to not affect the system header file, you know, because the Nfnetlink module to recompile, I will nfnetlink also moved over, they are 2.6.32 kernel files.

XT_NFACCT.C:CP $3.3/net/netfilter/xt_nfacct.c net/netfilter/xt_nfacct.c

The places where this file needs to be modified are:

1. Define Xt_action_param:

#define Xt_action_param Xt_match_param

This is because the match and target in 2.6.32 are separate on the interface, unlike the 3.X kernel, which encapsulates it as a union into the XT_ACTION_PARAM structure. 2. Change the return value of the Checkentry:

/* Pay attention! The return value of the Checkentry transferred from 3.x is int,0 for success, not 0 for failure,

* But the corresponding return value of 2.6.32 is bool,0 for failure, not 0 for success.

* The exact opposite API specification, the reverse of the panic Bar:(

**/

static int

Nfacct_mt_checkentry (const struct Xt_mtchk_param *par)

{

struct Xt_nfacct_match_info *info = par->matchinfo;

struct NF_ACCT *nfacct;

Nfacct = Nfnl_acct_find_get (info->name);

if (Nfacct = = NULL) {

Pr_info ("Xt_nfacct:accounting object with Name '%s '"

"Does not exists\n", info->name);

return 0;

}

Info->nfacct = Nfacct;

return 1;

}

XT_NFACCT.H:CP $3.3/include/linux/netfilter/xt_nfacct.h net/netfilter/xt_nfacct.h

At this point, the porting space is complete and the contents of makefile are:

Obj-m + = NFNETLINK_ACCT.O

Obj-m + = NFNETLINK.O

Obj-m + = XT_NFACCT.O

Enter the Net/netfilter directory and compile with the following command:

Make-c/lib/modules/' uname-r '/build subdirs= ' pwd ' modules

Then load Nfnetlink.ko,nfnetlink_acct.ko,xt_acct.ko in turn, and then execute the NFACCT command again, try it:

Nfacct add testiptables-a input-s 192.168.0.0/24-m nfacct--nfacct-name test-j ACCEPT

Pause for a moment, keep the network streaming, check the traffic counter:

Nfacct get test{pkts = 00000000000000188016, bytes = 00000000000250825515} = AA;

It's OK! Of course, you can also save the result as an XML file format, or, if necessary, a value of 0 for the reset counter.

Ubuntu13.10 (saucy salamander) kernel has been upgraded to Linux Kernel 3.10 RC5
    • Related articles recommended:
    • Linux kernel--Network stack Implementation Analysis (i)--Network stack initialization
    • Implementation of Linux Ioremap
    • Bird Brother Linux Private cuisine Knowledge points Summary 3 to 5 chapters
    • This article is from: Linux technology Network
    • This article link: http://www.ahlinux.com/start/kernel/9447.html

Linux-2.6.32 Kernel Compile traffic counter NFACCT

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.