Editing Traffic accounting with iptables

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 1: Line 1:
Suppose you need to know how much traffic your [[container]]s eat. It can be easily done
+
Suppose you need to know how much traffic your [[VE]]s eat. It can be easily done
 
using iptables.
 
using iptables.
  
 
== Situation description ==
 
== Situation description ==
Let's consider the very simple situation: one container with one IP address on the [[Hardware Node]]
+
Let's consider the very simple situation: one VE with one IP address on the [[Hardware Node]]
with only one network interface. To be more exact, assume that [[container]] ID is <tt>200</tt>, the IP address of the [[HN]]
+
with only one network interface. To be more exact, assume that [[VE]] ID is <tt>200</tt>, the IP address of the [[HN]]
is <tt>192.168.0.56</tt>, the network interface name is <tt>eth0</tt>, and the IP address of the [[container]] is <tt>192.168.0.117</tt>.
+
is <tt>192.168.0.56</tt>, the network interface name is <tt>eth0</tt>, and the IP address of the [[VE]] is <tt>192.168.0.117</tt>.
  
You wish to know how many bytes container 200 eats. One more assumption is that there are no iptables rules
+
You wish to know how much bytes VE 200 eats. One more assumption is that there are no iptables rules
 
on HN now. All these assumption are only for clarity!
 
on HN now. All these assumption are only for clarity!
  
 
== Solution ==
 
== Solution ==
Almost any traffic that goes to and from a container can be catched by FORWARD chain of iptables module in [[container0]],
+
Almost any traffic that goes to and from a VE can be catched by FORWARD chain of iptables module in [[VE0]],
 
thus we add such rules:
 
thus we add such rules:
 
<pre>
 
<pre>
Line 18: Line 18:
 
</pre>
 
</pre>
 
It means that all traffic forwarded to IP 192.168.0.117 and from IP 192.168.0.117 will be accounted.
 
It means that all traffic forwarded to IP 192.168.0.117 and from IP 192.168.0.117 will be accounted.
To obtain current traffic usage of container you can issue the command:
+
To obtain current traffic usage of VE you can issue the command:
 
<pre>
 
<pre>
 
# iptables -nv -L FORWARD
 
# iptables -nv -L FORWARD
Line 26: Line 26:
 
   15  1052            all  --  *      *      0.0.0.0/0            192.168.0.117
 
   15  1052            all  --  *      *      0.0.0.0/0            192.168.0.117
 
</pre>
 
</pre>
'''Bytes''' column is the column we need. It's worth saying, that restarting a container doesn't affect accounting,
+
'''Bytes''' column is the column we need. It's worth to say, that restarting a VE doesn't affect accounting,
 
it remains right. But if you restart your [[hardware node]], all the rules and consequently statistics are dropped.
 
it remains right. But if you restart your [[hardware node]], all the rules and consequently statistics are dropped.
 
So it is recommended to
 
So it is recommended to
Line 32: Line 32:
 
* add init script that creates iptables rules on [[HN]] start.
 
* add init script that creates iptables rules on [[HN]] start.
  
If you want to process the results with a script it is useful to use the "-x" or "--exact" option of iptables
+
As is easy to see, it's not per-VE statistic, but rather per-IP statistic. Thus you must be careful
<pre>
+
then changing VE IP addresses, otherwise you'll get mess of results.
# iptables -nvx -L FORWARD
 
</pre>
 
You will get the exact value of the packet and byte counters, instead of only the rounded number in K’s (multiples of 1000) M’s (multiples of 1000K) or G’s (multiples  of  1000M).
 
 
 
As is easy to see, it's not per-container statistic, but rather per-IP statistic. Thus you must be careful
 
then changing container IP addresses, otherwise you'll get mess of results.
 
  
By saying ''almost any traffic'' I mean that traffic between a [[container]] and [[container0]] is not accounted by rules above.
+
By saying ''almost any traffic'' I mean that traffic between a [[VE]] and [[VE0]] is not accounted by rules above.
 
Not sure if it can be useful for anybody, but to account such traffic these rules are needed:
 
Not sure if it can be useful for anybody, but to account such traffic these rules are needed:
 
<pre>
 
<pre>
Line 50: Line 44:
 
To observe results:
 
To observe results:
 
<pre>
 
<pre>
# iptables -nvx -L INPUT
+
# iptables -nv -L INPUT
 
Chain INPUT (policy ACCEPT 542 packets, 63745 bytes)
 
Chain INPUT (policy ACCEPT 542 packets, 63745 bytes)
 
  pkts bytes target    prot opt in    out    source              destination
 
  pkts bytes target    prot opt in    out    source              destination
 
   35  4533            all  --  venet0 *      0.0.0.0/0            192.168.0.117
 
   35  4533            all  --  venet0 *      0.0.0.0/0            192.168.0.117
# iptables -nvx -L OUTPUT
+
# iptables -nv -L OUTPUT
 
Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes)
 
Chain OUTPUT (policy ACCEPT 247 packets, 27847 bytes)
 
  pkts bytes target    prot opt in    out    source              destination
 
  pkts bytes target    prot opt in    out    source              destination
Line 63: Line 57:
 
# iptables -Z
 
# iptables -Z
 
</pre>
 
</pre>
The disadvantage is that by doingit this way you zero all counters in all rules. If it is not what you need,
+
The disadvantage is that doing this way you zero all counters in all rules. If it is not what you need,
 
you can just replace the rule with the same rule:
 
you can just replace the rule with the same rule:
 
<pre>
 
<pre>
# iptables -nvx -L FORWARD
+
# iptables -nv -L FORWARD
 
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes)
 
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes)
 
  pkts bytes target    prot opt in    out    source              destination
 
  pkts bytes target    prot opt in    out    source              destination
Line 72: Line 66:
 
   57  5564            all  --  *      *      0.0.0.0/0            192.168.0.117
 
   57  5564            all  --  *      *      0.0.0.0/0            192.168.0.117
 
# iptables -R FORWARD 1 -s 192.168.0.117
 
# iptables -R FORWARD 1 -s 192.168.0.117
# iptables -nvx -L FORWARD
+
# iptables -nv -L FORWARD
 
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes)
 
Chain FORWARD (policy ACCEPT 101 packets, 10715 bytes)
 
  pkts bytes target    prot opt in    out    source              destination
 
  pkts bytes target    prot opt in    out    source              destination
Line 83: Line 77:
 
more complicated situations.
 
more complicated situations.
  
; More than one container on the node
+
; More than one VE on the node
: Just add the rules like above for each container IP.
+
: Just add the rules like above for each VE IP.
  
; More than one IP per container.
+
; More than one IP per VE.
: For each IP add the rules like above. When counting the complete traffic of a container you have to summarize over all IPs that this container owns.
+
: For each IP add the rules like above. When counting the complete traffic of a VE you have to summarize over all IPs that this VE owns.
  
 
; More interfaces on the HN.
 
; More interfaces on the HN.
Line 95: Line 89:
 
Here are some scripting ideas
 
Here are some scripting ideas
  
=== Get CTIDs of all running containers ===
+
=== Get VEIDs of all running VEs ===
 
<pre>
 
<pre>
 
host2:~/bin# cat vz-all-running
 
host2:~/bin# cat vz-all-running
Line 101: Line 95:
 
</pre>
 
</pre>
  
=== Get all IPs of running containers ===
+
=== Get all IPs of running VEs ===
 
<pre>
 
<pre>
 
host2:~/bin# cat vz-all-running-ip
 
host2:~/bin# cat vz-all-running-ip
Line 116: Line 110:
 
=== Generate a traffic.log ===
 
=== Generate a traffic.log ===
 
Please use crontab to run this script once per hour or day to collect your traffic statistics.
 
Please use crontab to run this script once per hour or day to collect your traffic statistics.
 
(Warning, the counters can overflow if there is too much traffic within that period. Would recommend 15 minute intervals if you expect a lot of traffic)
 
 
<pre>
 
<pre>
 
host2:~/bin# cat vz-generate-traffic-log
 
host2:~/bin# cat vz-generate-traffic-log
Line 125: Line 117:
 
   echo -n `date "+%Y-%m-%d %H:%M:%S"` >> $trafficlog
 
   echo -n `date "+%Y-%m-%d %H:%M:%S"` >> $trafficlog
 
   echo -n " $i " >> $trafficlog
 
   echo -n " $i " >> $trafficlog
   echo `iptables -nvx -L FORWARD | grep " $i " | tr -s [:blank:] |cut -d' ' -f3| awk '{sum+=$1} END {print sum;}'` >> $trafficlog
+
   echo `iptables -nv -L FORWARD | grep $i | tr -s [:blank:] |cut -d' ' -f3| awk '{sum+=$1} END {print sum;}'` >> $trafficlog
 
  done
 
  done
 
  # reset the counter
 
  # reset the counter
 
  iptables -Z
 
  iptables -Z
  # update the iptables rules if there is a any change in containers
+
  # update the iptables rules if there is a any change in VEs
 
  ./vz-iptables-create-rules
 
  ./vz-iptables-create-rules
  
Line 147: Line 139:
 
  # start a php script to store the traffic in a MySQL Database on the HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS
 
  # start a php script to store the traffic in a MySQL Database on the HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS
 
  # please mind to use .htaccess to secure this  
 
  # please mind to use .htaccess to secure this  
  wget -q http://HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS/traffic-read.php?HN=$HOSTNAME -O /dev/null
+
  wget -q http://HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS/login/traffic-read.php?HN=$HOSTNAME -O /dev/null
 
</pre>
 
</pre>
  
Line 153: Line 145:
  
 
Below script will process traffic.log and store the data into a MySQL Database on the HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS  
 
Below script will process traffic.log and store the data into a MySQL Database on the HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS  
<source lang="text">
+
<pre>
 
HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS:/var/www/OPENVZ-CONTROL-WEB-SITE# cat traffic-read.php
 
HOST-TO-SHOW-THE-TRAFFIC-TO-THE-USERS:/var/www/OPENVZ-CONTROL-WEB-SITE# cat traffic-read.php
</source>
 
<source lang="php">
 
 
<?
 
<?
 
  $MySQL_Host="INSERT-YOUR-MYSQL-HOST-HERE";
 
  $MySQL_Host="INSERT-YOUR-MYSQL-HOST-HERE";
Line 162: Line 152:
 
  $MySQL_Passw="INSERT-YOUR-MYSQL-PASSWORD-HERE";
 
  $MySQL_Passw="INSERT-YOUR-MYSQL-PASSWORD-HERE";
 
   
 
   
  mysql_connect($MySQL_Host,$MySQL_User,$MySQL_Passw);
+
  mysql_connect("$MySQL_Host","$MySQL_User","$MySQL_Passw");
  
 
  $HN=trim(addslashes($_GET["HN"])); // Hardware Node
 
  $HN=trim(addslashes($_GET["HN"])); // Hardware Node
  
  $handle = fopen ("tmp/{$HN}-traffic","r");
+
  $handle = fopen ("tmp/$HN-traffic","r");
 
  while (!feof($handle)) {
 
  while (!feof($handle)) {
 
   $line = fgets($handle, 4096);
 
   $line = fgets($handle, 4096);
 
   list($date,$time,$ip,$traffic)=explode(" ",$line);
 
   list($date,$time,$ip,$traffic)=explode(" ",$line);
   if($traffic>0) {mysql($db,"insert into Traffic (ip,measuringtime,bytes) values('{$ip}','{$date} {$time}','{$traffic}')");}
+
   if($traffic>0) {mysql($db,"insert into Traffic (ip,measuringtime,bytes) values('$ip','$date $time','$traffic')");}
 
  }  
 
  }  
 
  fclose($handle);
 
  fclose($handle);
 
?>
 
?>
</source>
+
</pre>
  
 
=== A SQL query to get the traffic for the last 30 days ===
 
=== A SQL query to get the traffic for the last 30 days ===
<source lang="mysql">
+
<pre>
 
SELECT sum(bytes)
 
SELECT sum(bytes)
 
FROM Traffic
 
FROM Traffic
Line 183: Line 173:
 
AND measuringtime > ( now() - INTERVAL 1 MONTH)
 
AND measuringtime > ( now() - INTERVAL 1 MONTH)
 
GROUP BY ip
 
GROUP BY ip
</source>
+
</pre>
  
 
=== Notes ===
 
=== Notes ===
  
As you see this way can be time-consuming in case of a big number of containers.  
+
As you see this way can be time-consuming in case of a big number of VEs.  
  
 
So if anybody has scripts that automate all the process — you are welcome!
 
So if anybody has scripts that automate all the process — you are welcome!
  
== See also ==
+
[[Category: HOWTO]]
* [[Traffic accounting through proc]]
 
 
 
 
[[Category: Networking]]
 
[[Category: Networking]]
[[Category: Monitoring]]
 

Please note that all contributions to OpenVZ Virtuozzo Containers Wiki may be edited, altered, or removed by other contributors. If you don't want your writing to be edited mercilessly, then don't submit it here.
 If you are going to add external links to an article, read the External links policy first!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)
Retrieved from "https://wiki.openvz.org/Traffic_accounting_with_iptables"