How to do network accounting using cgroups

I am trying to get network statistics for groups of processes. As far as I know, complex network accounting on linux is normally done using the accounting infrastructure of netfilter/iptables.

As I'd like to have inheritance for such groups cgroups would be a good match.

My best idea would be to let iptables match the classid which can be set by using the net_cls-controller.

But it seems, iptables can only set this value via --set--class.

So: Is there a nice way of getting (complex and flexible) network accounting and logging for groups of processes on linux?


A very nice question! Thank you. Old one, but will help people in here


A. You can use cgroups with tc. I've never heard about that, but after googling found following:

net_cls — this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller ( tc) to identify packets originating from a particular cgroup task.

According to this you should work with tc and get statistics from there (many tools available).

http://patchwork.ozlabs.org/patch/194809/

Contact Alexey, maybe he can help you with that :)


B. You can use SELinux and iptables for stats, but limit bandwith with cgroups - I do like this approach more - tc looks ugly for me in some cases and not optimal for integration.

SELinux has hooks for network and can assign additional data as label to each packet according to process labels, even able to transmit to another system and filter/log/get statistics, do everything you can with iptables by using SECMARK.

http://selinuxproject.org/page/NB_Networking

If you are not familiar with SELinux yet, I recommend you to read RedHat/Fedora guides "Security-Enhanced Linux" and "SELinux FAQ", additionally there are very nice explanation and guides, blog posts by Daniel J. Walsh (Dan Walsh) - google for it.

Also, very good (and better) starting point for newbies are following videos on YouTube, I'm sure you can handle it in about three hours to understand everything you need:

  • SELinux for Everyone - Paul Wayper
  • SELinux for Sysadmins - Paul Wayper

SELINUX IS EASY, DONT BE AFRAID


With latest kernels, you can match against cgroups in iptables directly, see: http://lwn.net/Articles/569678/

It has been included to the mainline kernel.