Blame extensions/libxt_nfacct.man
|
Packit |
7b22a4 |
The nfacct match provides the extended accounting infrastructure for iptables.
|
|
Packit |
7b22a4 |
You have to use this match together with the standalone user-space utility
|
|
Packit |
7b22a4 |
.B nfacct(8)
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
The only option available for this match is the following:
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-nfacct\-name\fP \fIname\fP
|
|
Packit |
7b22a4 |
This allows you to specify the existing object name that will be use for
|
|
Packit |
7b22a4 |
accounting the traffic that this rule-set is matching.
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
To use this extension, you have to create an accounting object:
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
nfacct add http\-traffic
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Then, you have to attach it to the accounting object via iptables:
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
iptables \-I INPUT \-p tcp \-\-sport 80 \-m nfacct \-\-nfacct\-name http\-traffic
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
iptables \-I OUTPUT \-p tcp \-\-dport 80 \-m nfacct \-\-nfacct\-name http\-traffic
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Then, you can check for the amount of traffic that the rules match:
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
nfacct get http\-traffic
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic;
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
You can obtain
|
|
Packit |
7b22a4 |
.B nfacct(8)
|
|
Packit |
7b22a4 |
from http://www.netfilter.org or, alternatively, from the git.netfilter.org
|
|
Packit |
7b22a4 |
repository.
|