1
The ACCOUNT target is a high performance accounting system for large
2
local networks. It allows per-IP accounting in whole prefixes of IPv4
3
addresses with size of up to /8 without the need to add individual
4
accouting rule for each IP address.
6
The ACCOUNT is designed to be queried for data every second or at
7
least every ten seconds. It is written as kernel module to handle high
8
bandwidths without packet loss.
10
The largest possible subnet size is 24 bit, meaning for example 10.0.0.0/8
11
network. ACCOUNT uses fixed internal data structures
12
which speeds up the processing of each packet. Furthermore,
13
accounting data for one complete 192.168.1.X/24 network takes 4 KB of
14
memory. Memory for 16 or 24 bit networks is only allocated when
17
To optimize the kernel<->userspace data transfer a bit more, the
18
kernel module only transfers information about IPs, where the src/dst
19
packet counter is not 0. This saves precious kernel time.
21
There is no /proc interface as it would be too slow for continuous access.
22
The read-and-flush query operation is the fastest, as no internal data
23
snapshot needs to be created&copied for all data. Use the "read"
24
operation without flush only for debugging purposes!
28
ACCOUNT takes two mandatory parameters:
30
\fB\-\-addr\fR \fInetwork\fP\fB/\fP\fInetmask\fR
31
where \fInetwork\fP\fB/\fP\fInetmask\fP is the subnet to account for, in CIDR syntax
33
\fB\-\-tname\fP \fINAME\fP
34
where \fINAME\fP is the name of the table where the accounting information
37
The subnet 0.0.0.0/0 is a special case: all data are then stored in the src_bytes
38
and src_packets structure of slot "0". This is useful if you want
39
to account the overall traffic to/from your internet provider.
41
The data can be queried using the userspace libxt_ACCOUNT_cl library,
42
and by the reference implementation to show usage of this library,
43
the \fBiptaccount\fP(8) tool, which features following options:
45
[\fB\-u\fP] show kernel handle usage
47
[\fB\-h\fP] free all kernel handles (experts only!)
49
[\fB\-a\fP] list all table names
51
[\fB\-l\fP \fIname\fP] show data in table \fIname\fP
53
[\fB\-f\fP] flush data after showing
55
[\fB\-c\fP] loop every second (abort with CTRL+C)
57
Here is an example of use:
59
iptables \-A FORWARD \-j ACCOUNT \-\-addr 0.0.0.0/0 \-\-tname all_outgoing
60
iptables \-A FORWARD \-j ACCOUNT \-\-addr 192.168.1.0/24 \-\-tname sales
62
This creates two tables called "all_outgoing" and "sales" which can be
63
queried using the userspace library/iptaccount tool.
65
Note that this target is non-terminating \(em the packet destined to it
66
will continue traversing the chain in which it has been used.
68
Also note that once a table has been defined for specific CIDR address/netmask
69
block, it can be referenced multiple times using \-j ACCOUNT, provided
70
that both the original table name and address/netmask block are specified.
72
For more information go to http://www.intra2net.com/en/developer/ipt_ACCOUNT/