Menu
▾
▴
ipac-ng-commit
|
From: Sergey M. <sm...@us...> - 2011-11-05 01:26:01
|
Update of /cvsroot/ipac-ng/ipac-ng In directory vz-cvs-4.sog:/tmp/cvs-serv17870/ipac-ng Modified Files: CHANGELOG README TODO Log Message: Updated documentation to v.1.34.2 Index: README =================================================================== RCS file: /cvsroot/ipac-ng/ipac-ng/README,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- README 17 Jul 2011 03:45:22 -0000 1.6 +++ README 5 Nov 2011 01:25:58 -0000 1.7 @@ -6,7 +6,6 @@ For copyright notice see at the bottom of this file - WHAT IS IT? ipac is a package which is designed to gather, summarize and nicely @@ -18,11 +17,10 @@ - runs on top of the iptables or ipchains tool - needs certain kernel parts compiled in - NOTE FOR THAT WHO TRY TO USE THIS FOR THE FIRST TIME -2.2.* kernels support is not well, please use 2.4+iptables. All features -tested & work only for 2.4. But in case you need simple accounting only 2.2 -is enough. +2.2.* kernels support is not well, please use 2.4-3.0 + iptables. All features +tested & work only for 2.4-3.0 kernels. But in case you need simple accounting +only 2.2 is enough. HOW DOES IT WORK? @@ -50,7 +48,7 @@ INSTALLATION / PRECONDITIONS ipac-ng runs at least under Linux kernel 2.2.11, 2.2.16 - 2.2.19, 2.4.1, 2.4.3, -2.4.[4-13]. It should run on any kernel above. +2.4.[4-13]. It should run on any kernel above including 2.6.X and 3.0.X. You need perl 5. @@ -72,6 +70,7 @@ cgi scripts uses DBI, DBI-pg and CGI perl modules. They can be found at cpan http://www.cpan.org/CPAN.html. + PRECONDITIONS FOR 2.1.* and 2.2.* kernels At first, you'll need an ipchains tool. @@ -88,28 +87,33 @@ * filter, read the fetchipac man page, section BUGS! -PRECONDITIONS FOR 2.4.* and 2.6.* kernels +PRECONDITIONS FOR 2.4.*, 2.6.* and 3.0.* kernels -You'll need an iptables tool. Don't even try to use ipchains with 2.4.* +You'll need an iptables tool. Don't even try to use ipchains with these kernels. There is a bug that don't allow correct counters zeroing. You need a kernel which was compiled with the configuration option "Network packet filtering (replaces ipchains)" set to "y" or "m". Also "IP tables support" and "Packet filtering" must be set to "y" or "m". -NOTE: ipac-ng 1.34 works with iptables 1.4.3 and higher (confirmed up to 1.4.11.1); +NOTE: ipac-ng 1.34.2 works with iptables 1.4.3 and higher (confirmed up to + 1.4.12.1); ipac-ng 1.33 works with iptables 1.4.2; ipac-ng 1.32 and lower work with iptables 1.2.X and 1.3.X. -ipac-ng 1.34 uses iptables shared libraries, so these libraries must exist -in your system (i.e. iptables must be compiled with option which produces -these libraries: libxtables.so and libiptc.so or libip4tc.so). If your system -doesn't provide iptables shared libraries you can build ipac-ng with iptables -source code. See BUILD-with-iptables-source file in doc subdirectory for -instructions how to do it. +ipac-ng since v.1.34 uses iptables shared libraries, so these libraries +must exist in your system (i.e. iptables must not be compiled with an option +which excludes production of these libraries: libxtables.so and libiptc.so +or libip4tc.so). -To compile ipac-ng 1.34 you will additionally need iptables headers. +If your system doesn't provide iptables shared libraries you can build +ipac-ng statically with iptables source code. See BUILD-with-iptables-source +file in doc subdirectory for instructions how to do it. + +To compile ipac-ng 1.34 and later you will need iptables headers. Please install iptables-dev package - it provides these headers. +You don't need these headers if you are compiling ipac-ng statically with +iptables source code. NOTE: ipac-ng 1.33 and higher (especially fetchipac program) must be used with the same version of iptables which it was compiled with, @@ -117,6 +121,7 @@ but to be on the safe side, you should avoid version mixing. Always recompile/reinstall ipac-ng after iptables uprgades/downgrades! + INSTALLATION / OVERVIEW To install: @@ -135,7 +140,7 @@ - As root, run 'make install'. - - Create the file '/etc/ipac-ng/ipac.conf'. + - Create the files '/etc/ipac-ng/ipac.conf' and '/etc/ipac-ng/rules.conf'. - Run 'fetchipac -S'. @@ -163,32 +168,57 @@ where Name of rule Any string to identify this rule direction 'in' or 'out' - interface ip number or interface name or empty + interface interface name or '+' or empty protocol 'tcp' or 'udp' or 'icmp' or 'all' source \ - destination both as described in ipfwadm(8), or empty + destination both as described below, or empty In the summaries, the 'Name of rule' string identifies the counter. -Both the source and destination must be in ipfwadm/ipchains syntax - -consult the man page. -The interface can be named (for example, eth0) or its IP number can be given. -Linux IP accounting always counts at one interface or at any interface. The -direction means in or out of this interface. +The syntax of both the source and destination must be following: + + address[/mask] [port ...] + +Address can be either a hostname, a network name, or a plain IP address. +The mask can be either a network mask or a plain number, specifying the +number of 1's at the left side of the network mask (CIDR notation). Thus, +a mask of 24 is equivalent with 255.255.255.0. + +Note, that if hostname is specified as source/destination address, the +name resolution occurs at the moment when fetchipac -S invoked, i.e. +when ip accounting is initialized. The case if hostname resolves in +multiple IP addresses currently not supported. + +The source/destination may include one or more port specifications or +ICMP types. Each of them can either be a servicename, a port number, or +a (numeric) ICMP type. + +Note that the specified protocol may imply restrictions on the ports to +be specified. Ports may only be specified in combination with the tcp, +udp, or icmp protocol. When this option is omitted, the default +address/mask 0.0.0.0/0 (matching with any address) is used as +source/destination address. + +The interface can be named (for example, eth0). Empty field or '+' both +mean 'any interface'. Linux IP accounting always counts at one interface +or at any interface. The direction means in or out of this interface. + +You can have several lines with the same name of the rule. This means +that these lines will share one counter, i.e. results will be summarized. * You must run the fetchipac -S after changing the -* ipac.conf file every time for the changes to take effect! +* rules or ipac.conf file every time for the changes to take effect! An example ipac.conf and ipac.rules files come with the distribution. Since of version 1.09 of ipac-ng there are some improvements done: 1) you may define user-defined accounting chains for the sake of speed; 2) you may use network file in source *or* destination for the sake of - configurability; - + configurability. USER DEFINED CHAINS + Imagine that you have to account traffic for few hundreds of users, ok prior to version 1.09 you'l end up with some thousands of rules in plain format. And each packet will travel throught all of that rules. This will lead to major @@ -206,8 +236,8 @@ and so on.. - HOW TO DEFINE USER CHAINS + First, get a look at example ipac.conf. Still questions? ok.. Since of 1.09 there is a special tag in 'Name of rule' field of config. It's, as you can see, '%chain% '. Config file parser meeting this tag make decision not to create new @@ -230,7 +260,6 @@ Still questions? Welcome to email! kai...@ma.... - INSTALLATION / FETCHING ACCOUNTING DATA FROM KERNEL: FETCHIPAC IN CRON In order to collect the accounting data, you must put a line into a @@ -243,7 +272,6 @@ */5 * * * * root /usr/local/sbin/fetchipac - INSTALLATION / AFTER REBOOTS Naturally, the kernel forgets about the ip accounting on reboots. @@ -254,6 +282,16 @@ # Switch on ip accounting /usr/local/sbin/fetchipac -S +Hint: This crontab entry will call fetchipac -S if ip accounting is not + initialized (or destroyed by another program) or call fetchipac + without switches otherwise. Unwrap the line below, it is wrapped + for readability. + +*/10 * * * * root (test -f /etc/ipac-ng/ipac.conf && test -f + /usr/local/sbin/fetchipac && test -d /var/lib/ipac/ && + /usr/bin/nice /usr/local/sbin/fetchipac 2>&1 | + /bin/grep -q corrupted && /usr/bin/nice + /usr/local/sbin/fetchipac -S) || [ $? -eq 1 ] READING IP ACCOUNTING SUMMARIES @@ -275,7 +313,6 @@ A small help screen will be displayed with ipacsum --help. - CLEANING UP fetchipac generates a single database record every time it runs. @@ -322,14 +359,11 @@ 4 0 1 2 * root /usr/local/bin/ipacsum -r -t "the year 2 years ago" >/dev/null - - FURTHER DOCUMENTATION Read the man pages - ipacsum(8) and fetchipac(8). - CONTRIBUTIONS The directory contrib/ contains stuff that does not directly belong to Index: TODO =================================================================== RCS file: /cvsroot/ipac-ng/ipac-ng/TODO,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- TODO 28 Jun 2004 15:47:24 -0000 1.7 +++ TODO 5 Nov 2011 01:25:58 -0000 1.8 @@ -23,7 +23,8 @@ - create documentation document with plain-file storage method description -Things to do for ipac-ng 1.31: +- implement support for ipv6 -- add support for MySQL database backend +- create frontend GUI application +- create RPM/DEB packages for most popular Linux distributions Index: CHANGELOG =================================================================== RCS file: /cvsroot/ipac-ng/ipac-ng/CHANGELOG,v retrieving revision 1.37 retrieving revision 1.38 diff -u -d -r1.37 -r1.38 --- CHANGELOG 17 Jul 2011 03:45:22 -0000 1.37 +++ CHANGELOG 5 Nov 2011 01:25:58 -0000 1.38 @@ -12,7 +12,7 @@ # kaiser13/az ......... Al Zakharov <kaiser13 at users dot sourceforge dot net> # friedl/fl ........... Friedrich Lobenstock <fl at fl dot priv dot at> # mpoos ............... Mark Spieth <mpoos at users dot sourceforge dot net> -# sm ...................Sergey Merzlikin <smsoft at sm dot smsoft dot ru> +# sm ...................Sergey Merzlikin <sm at smsoft dot ru> # # contributors: # Thomas Zehetbauer <thomasz at hostmaster dot org> @@ -33,6 +33,18 @@ * with storage backend "gdbm" DO NOT call fetchipac twice in the same second or your database will be destroyed - no fix, other than removing support for gdbm, yet + * incorrect parsing of port ranges (port:port) in rules file. + * if source/destination in rules file is specified as hostname, + and this hostname resolves to multiple ip addresses, the rule + is not accepted. + * error message doesn't contain rule name if rule parsing error occurs + +1.34.2 +- fixed incompatibility with iptables 1.4.11 - 1.4.12.1 (sm) +- improved configure/build scripts. Now both dynamic (with iptables dynamic + libraries) and static (with iptables source) compilation is compatible + with iptables 1.4.3 - 1.4.12.1 (sm) +- updated documentation (sm) 1.34.1 - fixed incompatibility with some linux distributions which use iptables 1.4.10 |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X