Hi! Imagine this scenario:
- A LAN with several RC1918 subnets - A gateway/router with several interfaces, 1 connected to the Internet plus some others, each connected to one or more of the above mentioned LAN subnets. - The gateway is forwarding packets between the LAN subnets and from the LAN subnets to the Internet and vice versa. - The gateway's LAN interfaces are named eth0-5 - The gateway is doing NAT on the interface connected to the Internet (let's call it ppp0) via iptables I want to account traffic that flows through the external interface (ppp0). pmacct is unaware of NAT happening on the box, so if I make it listen on ppp0, it does only see packets that originate from and are destined for the local IP address of ppp0, thus making it impossible to see what LAN hosts caused the traffic. Well, so I started using multiple pmacctd instances, each one bound to one of the LAN interfaces and with a pcap_filter that does not account traffic that is just routed between LAN subnets or that is broadcast, but that's *really* ugly (also it doesn't count traffic that is generated locally). pcap_filter: ip and ((not src net 10.0.0.0/8 and not 172.16.0.0/12 and not 192.168.0.0/16 and not src host 0.0.0.0) or (not dst net 10.0.0.0/8 and not 172.16.0.0/12 and not 192.168.0.0/16 and not 224.0.0.0/4 and not dst host 255.255.255.255)) Also I dislike having to run more than one pmacctd. Does anybody know a better solution? I don't really fancy using iptables for traffic accounting, although it looks like this is the only instance that can unveil the NAT information (see /proc/net/ip_conntrack). Thanks in advance. -- Wolfram Schlich _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
