RE: IP Acounting Idea for 2.5

Michael Clark (michael@metaparadigm.com)
Wed, 18 Apr 2001 21:49:51 +0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Eric S. Raymond: "Re: CML2 1.1.5, more comments"
Previous message: Frank Fiene: "zSeries"

> I repeat myself, fighting is apparently so pleasant that
> you are stuck on
> fighting over dead-end technology:
>
> I seriously suggest that for the primary (subject given) topic
> you are SERIOUSLY OFF TARGET. Look around, counting hits on
> some fw rules is waste of time! (And mightly inaccurate!)

I agree. We could all stop re-inventing the wheel and use a
RFC2724/RFC2722/RFC2720 compliant traffic meter such as NeTraMet -
which has already solved most of the mentioned problems - has a
flexible rule language for matching flows and managing counters -
support for multiple protocols; not just IP - a distributed
architecture - SNMP accessable meter and remote Manager and Controller
(NeMaC) which can concurrently read from multiiple meters (including
NetFlow meters).

> You absolutely don't want to do any sort of counting
> aggeration policy
> control within kernel ( = FW rules ). You want to
> collect accounting
> per flow, and send those data records to offline analysis.

Yes, the IP accounting effort could do well by creating a fastpath for
feeding packet headers (can't say I know how optimal libpcap is
currently on Linux) to a userspace meter (like NeTraMet) letting it
deal with all of the policy.

I remember the DOS version of NeTraMet performed much better than the
Linux version (some years ago) due to custom ethernet drivers (for
some cards) that only generate interupts when a ring buffer is full of
packet headers - maybe the same sort of infrastructure (some of the
Linux GigE drivers also avoid the interupt per packet performance hit)
could be added to Linux and integrated with libpcap and leave the rest
up to a userspace meter application.

I'm sure Neville (traffic metering god - Hi Neville) would be pleased
to have optimized support for NeTraMet in the Linux kernel.

> No more fighting of when to clear counters, and when not.
>
> Having used (with own custom analyzers) cisco netflow, I can say
> that any sort of "count hits on access-list elements" things are
> from stone-age:

NetFlow really sucks alot doesn't - I remeber having bad aliasing
problems (trying to generate 5min averages) due to its minumum flow
export interval of 1 minute. Is this still the case?

Michael Clark.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric S. Raymond: "Re: CML2 1.1.5, more comments"
Previous message: Frank Fiene: "zSeries"