[pmacct-discussion] pmacct and iptables' mark

Paolo Lucente

2007-08-10 15:11:33 UTC

Hi Alexander,

i'm not familiar with iptables, so i'll just line up some thoughts
- hoping they could apply. In case iptables marks packets using the
standard IP ToS field, it's pretty straightforward to intercept such
traffic - by any 3rd party application, not only pmacct.

If the above holds and you need to aggregate (not filter) the marked
traffic, it's as easy as instructing pmacct to do so:

aggregate[city]: tos

If, instead, you need to filter such traffic but intend to aggregate
it in some other way, then, you will need to resort to the libpcap-
style filter encoded in the aggregate_filter directive:

aggregate_filter: 'ip[1] & 0x10 != 0'

the above, for example, will select only IP packets with a value of
0x10 in the IP ToS field. Be careful, as you might need to escape
some characters or remove the '' to make it working properly in the
configuration file.

If iptables doesn't make use the IP ToS field then intercepting the
tags grossly depends on how and where they are encoded. In such a
case, feel free to point at some documentation that briefly explains.

Hope it helps.

Cheers,
Paolo

Post by ÐÐ»ÐµÐºÑÐ°Ð½Ð´Ñ Ð. ÐÐµÑÐ½ÑÐ¹
iptables -t mangle -A FORWARD -s 91.196.76.32/27 -j MARK --set-mark 5
...and also some amount of mark rules.
But I didn't find any information about libpcap/tcpdump expression for
iptables' marks. There is some BSD's pf marks but I'm running Linux.
aggregate_filter[city]: dst net 192.168.2.0/24 and src net
(195.158.8.32/30 or 195.158.5.4/30 or ... [also very lot of nets] ...
or 89.146.64.0/18)
--
Alexander Merniy