Projet

Général

Profil

Révision c9157be3

IDc9157be3fe0bdcc3fb54855056e1cebe94e4dcd5
Parent 0b07e636
Enfant 0d775b28, 2078cab6, 863d326b

Ajouté par Lars Kruse il y a presque 8 ans

iptables-related plugins: use "-w" for consistent results

The parameter "-w" forces iptables to wait for a lock before
printing data.

The parameter requires iptables 1.6 (released 2015).

See https://github.com/munin-monitoring/munin/issues/586

Voir les différences:

plugins/accounting/accounting_
115 115 

  		




  116
  116
  
    
if [ "$1" == "autoconf" ]; then


  		




  117
  117
  
    
	if [ -r /proc/net/dev ]; then


  		




  118
  
  
    
		$IPTABLES -L INPUT -v -n -x >/dev/null 2>/dev/null


  		




  
  118
  
    
		$IPTABLES -L INPUT -v -n -x -w >/dev/null 2>/dev/null


  		




  119
  119
  
    
			if [ $? -gt 0 ]; then


  		




  120
  120
  
    
				echo "no (could not run iptables as user `whoami`)"


  		




  121
  121
  
    
				exit 1


  		




  ......




  132
  132
  
    
if [ "$1" = "suggest" ]; then


  		




  133
  133
  
    

  		




  134
  134
  
    
	if [ $PROTO = "ipv4" ]; then


  		




  135
  
  
    
	  $IPTABLES -L INPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p'


  		




  136
  
  
    
  	$IPTABLES -L OUTPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p'


  		




  
  135
  
    
	  $IPTABLES -L INPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p'


  		




  
  136
  
    
	  $IPTABLES -L OUTPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p'


  		




  137
  137
  
    
	elif [ $PROTO == "ipv6" ]; then


  		




  138
  
  
    
	  $IPTABLES -L INPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p'


  		




  139
  
  
    
	  $IPTABLES -L OUTPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p'


  		




  
  138
  
    
	  $IPTABLES -L INPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p'


  		




  
  139
  
    
	  $IPTABLES -L OUTPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p'


  		




  140
  140
  
    
	fi


  		




  141
  141
  
    

  		




  142
  142
  
    
	exit 0


  		




  ......




  192
  192
  
    
fi;


  		




  193
  193
  
    

  		




  194
  194
  
    
echo 'multigraph '${0##*/}'_in'


  		




  195
  
  
    
$IPTABLES -L INPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-tcp\-in \*\/" | tr -s '*' '-' | awk "{ print \"tcpIN.value \" \$2 }"


  		




  196
  
  
    
$IPTABLES -L INPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-udp\-in \*\/" | tr -s '*' '-' | awk "{ print \"udpIN.value \" \$2 }"


  		




  197
  
  
    
$IPTABLES -L INPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-icmp\-in \*\/" | tr -s '*' '-' | awk "{ print \"icmpIN.value \" \$2 }"


  		




  
  195
  
    
$IPTABLES -L INPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-tcp\-in \*\/" | tr -s '*' '-' | awk "{ print \"tcpIN.value \" \$2 }"


  		




  
  196
  
    
$IPTABLES -L INPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-udp\-in \*\/" | tr -s '*' '-' | awk "{ print \"udpIN.value \" \$2 }"


  		




  
  197
  
    
$IPTABLES -L INPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-icmp\-in \*\/" | tr -s '*' '-' | awk "{ print \"icmpIN.value \" \$2 }"


  		




  198
  198
  
    
echo


  		




  199
  199
  
    
echo 'multigraph '${0##*/}'_out'


  		




  200
  
  
    
$IPTABLES -L OUTPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-tcp\-out \*\/" | tr -s '*' '-' | awk "{ print \"tcpOUT.value \" \$2 }"


  		




  201
  
  
    
$IPTABLES -L OUTPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-udp\-out \*\/" | tr -s '*' '-' | awk "{ print \"udpOUT.value \" \$2 }"


  		




  202
  
  
    
$IPTABLES -L OUTPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-icmp\-out \*\/" | tr -s '*' '-' | awk "{ print \"icmpOUT.value \" \$2 }"


  		




  
  200
  
    
$IPTABLES -L OUTPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-tcp\-out \*\/" | tr -s '*' '-' | awk "{ print \"tcpOUT.value \" \$2 }"


  		




  
  201
  
    
$IPTABLES -L OUTPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-udp\-out \*\/" | tr -s '*' '-' | awk "{ print \"udpOUT.value \" \$2 }"


  		




  
  202
  
    
$IPTABLES -L OUTPUT -v -n -x -w | grep  "\/\* ACCT\-"$SUBCHAIN"\-icmp\-out \*\/" | tr -s '*' '-' | awk "{ print \"icmpOUT.value \" \$2 }"


  		




  203
  203
  
    

  		












  

    
      plugins/ip6/ip6_
    
  





  28
  28
  
    

  		




  29
  29
  
    
if [ "$1" = "autoconf" ]; then


  		




  30
  30
  
    
	if [ -r /proc/net/dev ]; then


  		




  31
  
  
    
		ip6tables -L INPUT -v -n -x >/dev/null 2>/dev/null


  		




  
  31
  
    
		ip6tables -L INPUT -v -n -x -w >/dev/null 2>/dev/null


  		




  32
  32
  
    
		if [ $? -gt 0 ]; then


  		




  33
  33
  
    
			echo "no (could not run ip6tables as user `whoami`)"


  		




  34
  34
  
    
			exit 1


  		




  ......




  43
  43
  
    
fi


  		




  44
  44
  
    

  		




  45
  45
  
    
if [ "$1" = "suggest" ]; then


  		




  46
  
  
    
	ip6tables -L INPUT -v -n -x 2>/dev/null | awk --posix '$8 ~ /^([0-9a-f]{1,4}(\:|\:\:)){1,7}([0-9a-f]{1,4})\/([0-9]{1,3})$/ { if (done[$8]!=1) {print $8; done[$8]=1;}}'|sed "s#/[0-9]\{1,3\}##"


  		




  
  46
  
    
	ip6tables -L INPUT -v -n -x -w 2>/dev/null | awk --posix '$8 ~ /^([0-9a-f]{1,4}(\:|\:\:)){1,7}([0-9a-f]{1,4})\/([0-9]{1,3})$/ { if (done[$8]!=1) {print $8; done[$8]=1;}}'|sed "s#/[0-9]\{1,3\}##"


  		




  47
  47
  
    
	exit 0


  		




  48
  48
  
    
fi


  		




  49
  49
  
    

  		




  ......




  64
  64
  
    
	exit 0


  		




  65
  65
  
    
fi;


  		




  66
  66
  
    

  		




  67
  
  
    
ip6tables -L INPUT -v -n -x | grep -m1 $IP | awk "{ print \"in.value \" \$2 }"


  		




  68
  
  
    
ip6tables -L OUTPUT -v -n -x | grep -m1 $IP | awk "{ print \"out.value \" \$2 }"


  		




  
  67
  
    
ip6tables -L INPUT -v -n -x -w | grep -m1 $IP | awk "{ print \"in.value \" \$2 }"


  		




  
  68
  
    
ip6tables -L OUTPUT -v -n -x -w | grep -m1 $IP | awk "{ print \"out.value \" \$2 }"


  		












  

    
      plugins/ip6/ip6t_accounting
    
  





  10
  10
  
    
graph_args -l 0


  		




  11
  11
  
    
graph_info ip6tables bites ipv6


  		




  12
  12
  
    
EOF


  		




  13
  
  
    
ip6tables -vxL|grep -E 'ACC|REJ'|grep -v ^Chain|sed -e 's/dpt://g' -e 's/ .*://g'|awk '{print $NF"-"$4".label", $NF" "$4"\n",$NF"-"$4".min", 0}'|sed 's/^\s*//g'


  		




  
  13
  
    
ip6tables -vx -w -L | grep -E 'ACC|REJ'|grep -v ^Chain|sed -e 's/dpt://g' -e 's/ .*://g'|awk '{print $NF"-"$4".label", $NF" "$4"\n",$NF"-"$4".min", 0}'|sed 's/^\s*//g'


  		




  14
  14
  
    
exit 0


  		




  15
  15
  
    
fi


  		




  16
  16
  
    
if [ "$1" = "autoconf" ]; then


  		




  ......




  18
  18
  
    
    exit 0


  		




  19
  19
  
    
fi


  		




  20
  20
  
    

  		




  21
  
  
    
ip6tables -vxL|grep -E 'ACC|REJ'|grep -v ^Chain|awk '{print $NF"-"$4".value", $2}'|sed 's/^dpt://'


  		




  
  21
  
    
ip6tables -vx -w -L | grep -E 'ACC|REJ'|grep -v ^Chain|awk '{print $NF"-"$4".value", $2}'|sed 's/^dpt://'


  		




  22
  22
  
    

  		












  

    
      plugins/network/fwbuilder_
    
  





  61
  61
  
    

  		




  62
  62
  
    
if [ "$1" = "autoconf" ]; then


  		




  63
  63
  
    
	if [ -r /proc/net/dev ]; then


  		




  64
  
  
    
		iptables -L INPUT -v -n -x >/dev/null 2>/dev/null


  		




  
  64
  
    
		iptables -L INPUT -v -n -x -w >/dev/null 2>/dev/null


  		




  65
  65
  
    
		if [ $? -gt 0 ]; then


  		




  66
  66
  
    
			echo "no (could not run iptables as user `whoami`)"


  		




  67
  67
  
    
			exit 1


  		




  ......




  77
  77
  
    

  		




  78
  78
  
    
if [ "$1" = "suggest" ]; then


  		




  79
  79
  
    
	# find Chains for Accounting


  		




  80
  
  
    
	iptables -L -n |grep ^ACCOUNTING |awk '{printf "%s\n%s\n",$4,$5}'| sort -u |sed 's#\/#-#'


  		




  
  80
  
    
	iptables -L -n -w | grep ^ACCOUNTING |awk '{printf "%s\n%s\n",$4,$5}'| sort -u |sed 's#\/#-#'


  		




  81
  81
  
    
	exit 0


  		




  82
  82
  
    
fi


  		




  83
  83
  
    

  		




  ......




  99
  99
  
    
        exit 0


  		




  100
  100
  
    
fi;


  		




  101
  101
  
    

  		




  102
  
  
    
echo "in.value $(( $(iptables -L -n -v -x |grep "ACCOUNTING" |awk '{printf "%s %s\n",$2,$9}' |grep $IP |awk '{printf "%s + ",$1}') 0 ))"


  		




  103
  
  
    
echo "out.value $(( $(iptables -L -n -v -x |grep "ACCOUNTING" |awk '{printf "%s %s\n",$2,$8}' |grep $IP |awk '{printf "%s + ",$1}') 0 ))"


  		




  
  102
  
    
echo "in.value $(( $(iptables -L -n -v -x -w | grep "ACCOUNTING" | awk '{printf "%s %s\n",$2,$9}' | grep $IP | awk '{printf "%s + ",$1}') 0 ))"


  		




  
  103
  
    
echo "out.value $(( $(iptables -L -n -v -x -w |grep "ACCOUNTING" | awk '{printf "%s %s\n",$2,$8}' | grep $IP | awk '{printf "%s + ",$1}') 0 ))"


  		




  104
  104
  
    

  		












  

    
      plugins/network/ipt_accounting_
    
  





  42
  42
  
    

  		




  43
  43
  
    
if [ "$1" = "autoconf" ]; then


  		




  44
  44
  
    
        if [ -r /proc/net/dev ]; then


  		




  45
  
  
    
                iptables -L INPUT -v -n -x >/dev/null 2>/dev/null


  		




  
  45
  
    
                iptables -L INPUT -v -n -x -w >/dev/null 2>/dev/null


  		




  46
  46
  
    
                if [ $? -gt 0 ]; then


  		




  47
  47
  
    
                        echo "no (could not run iptables as user `whoami`)"


  		




  48
  48
  
    
                        exit 1


  		




  ......




  57
  57
  
    
fi


  		




  58
  58
  
    

  		




  59
  59
  
    
if [ "$1" = "suggest" ]; then


  		




  60
  
  
    
        iptables -L INPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACC\-\([a-zA-Z]*\) \*\/.*$/\1/p'


  		




  
  60
  
    
        iptables -L INPUT -v -x -n -w 2>/dev/null | sed -n 's/^.*\/\* ACC\-\([a-zA-Z]*\) \*\/.*$/\1/p'


  		




  61
  61
  
    
        exit 0


  		




  62
  62
  
    
fi


  		




  63
  63
  
    

  		




  ......




  79
  79
  
    
        exit 0


  		




  80
  80
  
    
fi;


  		




  81
  81
  
    

  		




  82
  
  
    
iptables -L INPUT -v -n -x | grep -m1 "\/\* ACC\-"$ACC" \*\/" | awk "{ print \"in.value \" \$2 }"


  		




  83
  
  
    
iptables -L OUTPUT -v -n -x | grep -m1 "\/\* ACC\-"$ACC" \*\/" | awk "{ print \"out.value \" \$2 }"


  		




  
  82
  
    
iptables -L INPUT -v -n -x -w | grep -m1 "\/\* ACC\-"$ACC" \*\/" | awk "{ print \"in.value \" \$2 }"


  		




  
  83
  
    
iptables -L OUTPUT -v -n -x -w | grep -m1 "\/\* ACC\-"$ACC" \*\/" | awk "{ print \"out.value \" \$2 }"


  		












  

    
      plugins/network/ipt_basic_
    
  





  45
  45
  
    

  		




  46
  46
  
    
if [ "$1" = "autoconf" ]; then


  		




  47
  47
  
    
	if [ -r /proc/net/dev ]; then


  		




  48
  
  
    
		RES=`$iptables -L $TNAME -nvx 2>&1 >/dev/null`


  		




  
  48
  
    
		RES=`$iptables -L $TNAME -nvx -w 2>&1 >/dev/null`


  		




  49
  49
  
    
		if [ $? -gt 0 ]; then


  		




  50
  50
  
    
			echo "no (could not run iptables as user `whoami`; $RES)"


  		




  51
  51
  
    
			exit 1


  		




  ......




  79
  79
  
    
	exit 1


  		




  80
  80
  
    
fi


  		




  81
  81
  
    

  		




  82
  
  
    
IFACES=`$iptables -L munin_node -nvx | awk '$6 ~ /(eth|ppp)[0-9]/ { if (done[$6]!=1) {print $6; done[$6]=1;}}'`


  		




  
  82
  
    
IFACES=`$iptables -L munin_node -nvx -w | awk '$6 ~ /(eth|ppp)[0-9]/ { if (done[$6]!=1) {print $6; done[$6]=1;}}'`


  		




  83
  83
  
    

  		




  84
  84
  
    
if [ "$1" = "config" ]; then


  		




  85
  85
  
    

  		




  ......




  108
  108
  
    
fi;


  		




  109
  109
  
    

  		




  110
  110
  
    
if [ "$TYPE" = "pkts" ]; then


  		




  111
  
  
    
	$iptables -L munin_node -nvx | egrep "eth|ppp" | awk "{ print \$6 \".value \" \$1 }"


  		




  
  111
  
    
	$iptables -L munin_node -nvx -w | egrep "eth|ppp" | awk "{ print \$6 \".value \" \$1 }"


  		




  112
  112
  
    
else


  		




  113
  
  
    
	$iptables -L munin_node -nvx | egrep "eth|ppp" | awk "{ print \$6 \".value \" \$2 }"


  		




  
  113
  
    
	$iptables -L munin_node -nvx -w | egrep "eth|ppp" | awk "{ print \$6 \".value \" \$2 }"


  		




  114
  114
  
    
fi


  		












  

    
      plugins/network/traffic_ipt
    
  





  110
  110
  
    
diffv4=0


  		




  111
  111
  
    
diffv6=0


  		




  112
  112
  
    

  		




  113
  
  
    
IPv4_bytes=$(iptables -L -n -v -x | egrep '^\W*[0-9]+\W+[0-9]+\W+all\W+--\W+\*\W+\*\W+0.0.0.0/0\W+0.0.0.0/0\W*$' | while read pkts bytes rest; do echo $bytes; done)


  		




  
  113
  
    
IPv4_bytes=$(iptables -L -n -v -x -w | egrep '^\W*[0-9]+\W+[0-9]+\W+all\W+--\W+\*\W+\*\W+0.0.0.0/0\W+0.0.0.0/0\W*$' | while read pkts bytes rest; do echo $bytes; done)


  		




  114
  114
  
    
if [ -z "$IPv4_bytes" ];


  		




  115
  115
  
    
then


  		




  116
  116
  
    
	echo "W: Unable to read rule from iptables, please add rules" >&2


  		




  ......




  118
  118
  
    
	ipv4=$(echo $IPv4_bytes | sed -e 's/ / + /' | bc -l)


  		




  119
  119
  
    
fi


  		




  120
  120
  
    

  		




  121
  
  
    
IPv6_bytes=$(ip6tables -L -n -v -x | egrep '^\W*[0-9]+\W+[0-9]+\W+all\W+\*\W+\*\W+::/0\W+::/0\W*$' | while read pkts bytes rest; do echo $bytes; done)


  		




  
  121
  
    
IPv6_bytes=$(ip6tables -L -n -v -x -w | egrep '^\W*[0-9]+\W+[0-9]+\W+all\W+\*\W+\*\W+::/0\W+::/0\W*$' | while read pkts bytes rest; do echo $bytes; done)


  		




  122
  122
  
    
if [ -z "$IPv6_bytes" ];


  		




  123
  123
  
    
then


  		




  124
  124
  
    
	echo "W: Unable to read rule from ip6tables, please add rules" >&2


  		












Formats disponibles :  Unified diff