[collectd] IPTables Module

[Sjoerd van der Berg]

On 3/10/07, Florian Forster <octo.trailing-username(a)leading-domain.verplant.org> wrote:
> I've changed the code and build-system to use a globally installed
> version of `libiptc' and `libiptc/libiptc.h'. You can use the
> `--with-libiptc[=PREFIX]' configure-option to point the configure-
> script to an arbitary location.

Yeh that might work or like i said could rewrite it to just use raw
socket operations.

> The actual problem here is to tell collectd which counters are
> interesting, right? I have two (alternative or additive) suggestions:
> - Select counters by some other common feature, such as the
>   `--log-prefix' option of the LOG-target or the `--set-mark' option of
>   the MARK-target.
> - Specify the counter by table, chain and position. The problem is that
>   changes in the firewall(-script) may break this, but it doesn't need
>   any target/matches that have some side-effect. (I can see why you
>   chose the `comment'-match by the way ;)
>
> Any thoughts?

Damn that sucks, thought the comment module might make it into more
distros by now, but seems not. So what's left then, like you said
marks and maybe use some table in the collectd config file to match
mark numbers to specific strings?
Or use empty chains and match on the chain names by using the empty
chains as targets?
Any kind of logging target would probably give needless overhead
unless you could somehow not make it actually log and only use it for
the string to identity a certain rule :)

I don't really know what would be best, i kinda like the flexibility
in just having the module pretty much find the things it can handle
and work from there without too much editing of the collectd config
file.  Or you could go the other way and setup the rules in the
collectd file and the module will setup it's own chaines, but that
would probably complicate things alot :(

Sjoerd,