[Problem] Trunk r10006 7340 iptables counters incorrect

[mappu]

Mein beste versuche deutsch:

Hallo! Ich moechte mit iptables den vdsl datausage fur jemand am meiner LAN zaehlen. Hast jemand iptables korrect functioneirt am FritzBox 7340?

Ich habe freetz gebuilt mit iptables binary, und es funktioneit, aber alle counter values sind sehr sehr klein, inkorrect.. und die freetz image hat keine ip_tables.ko (also wird modprobe ein error geprintet). Ich habe auch Replace Kernel gemacht, aber leider macht dies schon keine ip_tables.ko.

Vielleicht sind die zaehl:nummer besser mit ipconfig als iptables, aber vielleicht traume ich.

Ich habe ##fritzbox gefragt; die Ikanos Fusiv hat hardware-accelerated routing mit keiner iptables module available, also sind die functionen nicht richtig.

Also meine frage ist: kann man mit iptables den vdsl datausage for jemand am meiner LAN zaehlen, an der FritzBox 7340?
___________

Hi! I am trying to use iptables to count data usage for everyone on my LAN. Has anyone got iptables working correctly on FritzBox 7340?

My freetz image contains the iptables binary, and seems to work, but all counter values are incorrect, much too small. No ip_tables.ko is created and so cannot be loaded. I have built a firmware with Replace Kernel which also does not create ip_tables.ko.

Perhaps the numbers from ipconfig are more realistic than the numbers from iptables, or it might be my imagination.

I asked ##fritzbox and the Ikanos Fusiv has apparently hardware-accelerated routing with no available iptables module for correct operation.

So my question is; is it possible for iptables to be used to count per-user data usage on FritzBox 7340?

___________

FritzBox 7340 :: 05.22 en.international
Kernel 2.6.28.10, iptables 1.4.11.1, freetz-trunk r10006

 

[longint]

What do you mean by iptables is included but there is no ip_tables.ko!? Not sure if there is a need to have it as module or included in kernel directly.

Just to make sure: Are you able to tun iptables on command line!?

 

[mappu]

Now using Replace Kernel, i think i have iptables built into the kernel:

[B]root@fritz:/#[/B] find / | grep ip_tables.ko

[B]root@fritz:/#[/B] iptables -L -v -n
Chain INPUT (policy ACCEPT 38 packets, 2787 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 57 packets, 14644 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 20 packets, 861 bytes)
 pkts bytes target     prot opt in     out     source               destination

[B]root@fritz:/#[/B] ls /proc/1/net/ip_tables*
/proc/1/net/ip_tables_matches  /proc/1/net/ip_tables_targets  /proc/1/net/ip_tables_names

so that's a relief. (since iptables article on freetz wiki says to modprobe ip_tables.ko, which gives an error.) But, the iptables counters are still so small... So i create iptables counters for my desktop 192.168.1.18:

[B]root@fritz:/#[/B] iptables -A FORWARD -s 192.168.1.18 -o vdsl
[B]root@fritz:/#[/B] iptables -A FORWARD -i vdsl -d 192.168.1.18
[B]root@fritz:/#[/B] iptables -L -v -n
Chain INPUT (policy ACCEPT 51 packets, 7874 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 217 packets, [COLOR="#006400"]109K bytes[/COLOR])
 pkts bytes target     prot opt in     out     source               destination

    0     [COLOR="#006400"]0[/COLOR]            all  --  *      vdsl    192.168.1.18         0.0.0.0/0
    0     [COLOR="#006400"]0[/COLOR]            all  --  vdsl   *       0.0.0.0/0            192.168.1.18

Chain OUTPUT (policy ACCEPT 31 packets, 3128 bytes)
 pkts bytes target     prot opt in     out     source               destination

and then download a 10MB file, and then check counters again:

[B]root@fritz:/#[/B] iptables -L -v -n
Chain INPUT (policy ACCEPT 624 packets, 137K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 2510 packets, [COLOR="#FF0000"]705K bytes[/COLOR])
 pkts bytes target     prot opt in     out     source               destination

    0     [COLOR="#FF0000"]0[/COLOR]            all  --  *      vdsl    192.168.1.18         0.0.0.0/0
    0     [COLOR="#FF0000"]0[/COLOR]            all  --  vdsl   *       0.0.0.0/0            192.168.1.18

Chain OUTPUT (policy ACCEPT 419 packets, 63708 bytes)
 pkts bytes target     prot opt in     out     source               destination

The 10MB is not counted against my desktop - not counted against any iptables chain regardless of interface.

Can i get accurate user data counts with iptables on 7340?

 

[longint]

Hm, just some guesses:
- you are sure about the vdsl interface? What happens when you define the rules without specifying a interface?
- there might also be some NAT specific translations avoiding matching your rules
- will a simple 'iptables -A FORWARD' count something?
- maybe the 10MB file is cached or - more likely - compressed (assuming you use a decent browser) which may (!) explain the 705k shown

Let me/us know about your progress.

HTH

PS: Did not use iptables for ages anymore but really like seeing people using it! And freetz supporting it...