UserIPacct Page

UserIPAcct - a program to do per user ip accounting

Latest Stable Version: 0.7e

Please read the FAQ

Download: 0.7e

[ News ] [ Description ] [ Example Output (Screenshots) / Documentation] [ Installation ] [ Future ] [ Copyright Info ]


News

15-Nov-1999

After some request in the past 4 months to the author of ipacct (Zaheer Merali), I decided to do the porting on my own. I contacted Peter De Schrijver and he ported ipacct to 2.2.13 and 2.3.24.

I will not try to update, correct, fix the unstable ipacct 0.8 tree, i'll just try to keep the 0.7 tree updated. For the record, the previous site of ipacct was http://zaheer.grid9.net/useripacct

Description

This package adds per user ip accounting to the kernel and contains programs to control and use this accounting data.

Fist of all it consists of a kernel patch which adds per user ip accounting to the kernel. The kernel patch accounts all bytes sent or received on the ip level, i.e. all headers get accounted including the ip header itself. This data is exported via the proc filesystem. Moreover the patch allows to control the ip access on a per user basis. Furthermore it is possible to specify a weight for ip addresses. This weight controls how much every byte costs that is transfered from or to this ip addresses. With this weight/cost set to zero you can ignore certain host or networks completely from the statistics which might be convenient for the local network. The cost can be different for different ip addresses.

Second, there's a program for controlling and viewing the weights/costs and the accounting data produced by the kernel. With it you can modify the weight table in a manner very similar to the syntax of the route program.

Please note the following, IPacct is unable to correctly account PPP users, because these use the PPP daemon as a gateway. The packets in a PPP connection are being accounted to the PPP daemon UID. In order to correctly account these packets, it would be necessary to alter the PPP daemon.
If you want to account PPP, take a look at net-acct-0.4.tar.gz. This tool allows you to account the traffic on SLIP/PPP connections, but not on Ethernet connections. You won't be able to deny access, though.
 
 
Example Output (Screenshots :) )

example output of ipacct

User       Sent       Received   Flags
miranda    0          88
hoos       40         1006
fatman     40         3000
nobody     88         0
httpd      276        244
In this example you see how much traffic every user produced since the last reset of the statistics.

example output of a weight table (ipacct -w)

Addr            Mask            Weight
194.7.78.0      255.255.255.0   0
127.0.0.1       255.255.255.255 0
default         *               1

This weight table says that access to 194.7.78.0 and 127.0.0.1 is ignored (weight/cost 0). And access to all other hosts on the internet is accounted with a costs of one.

Third, a program named ipacctd creates an interface to your own accounting program. It reads the kernel ip statistics every specified interval and passes to data to a user supplied program like ipquota (see below). But you can also impose your own ip accounting policy by writing your own program or shell script for recording and analyzing the produced data.

And fourth, there is ipquota which is a package of itself. If used with ipacctd it can impose ip quotas on certain users. These quotas can be easily changed and viewed. Furthermore ipquota uses the feature of the ipacct kernel patch to control access to the net: if a user exceeds his quota he is denied further net access excluding access to hosts and networks which are recorded with a weight/cost of zero in the kernel. There's a program included which is used to create a low-rate/high-rate system (much like the phone system), using ipacct's feature of a weight table. Thanks to Carlos Soares for this program.
There is also an alternative to ipquota, called ipstats which provides accounting capabilities, but does not impose a quota, generating only IP traffic statistics.
 
Installation

  1. Take a look at the file MCONFIG in the source directory where you unpacked ipacct. Normally you shouldn't have to change anything. If you don't have a directory /var/log change the reference in MCONFIG to something else, e.g. /var/adm, but please consider reading the FSSTND v1.2 document where a standard Linux filesystem is described. Maybe you have to change the value of NOBODY, but only if the binaries are to be used in a system with different UID for user nobody.


    2. more MCONFIG
    (vi/joe/emacs MCONFIG)
     

  2. Go into the patches directory and choose a suitable patch for your kernel. There are some old patches under patches/vX.X which should work with older kernels, but I don't recommend using them. Instead upgrade to a 2.2.x version of the kernel. If Linus really means that 2.2 is a stable version, this patch should work with very minor changes to all the 2.2 series.  However, if you do want a patch for an older kernel eg. 2.0.36, then copy the relevant .in file into the main patches directory and edit the Makefile in the main patches directory to use the relevant one.  Do a make patches under the ipacct source directory. This creates the kernel patches with the changes you made in MCONFIG.


    3. make patches
     

  3. Now change your directory to the home of the Linux kernel source tree you want to patch for use with ipacct and apply the patch. Read the patch man page, if you don't know what the options mean.


    4. cd /usr/src/linux
    patch -p1 -s < dir_of_useripacct_patches/patch.linux-kernel_version_you_chose
     

  4. You can recompile your kernel, now. But don't forget to activate the useripacct kernel extensions by answering yes to the "Per user IP accounting" question while doing the make config. Make sure that your links under /usr/include are right and that they point to the kernel tree you patched for the use with useripacct. Normally this is a link from /usr/include/linux and /usr/include/asm to /usr/src/linux/include/linux and /usr/src/linux/include/asm respectively.


    5. make config (try make menuconfig)
    make dep
    make clean
    make bzImage (or make zlilo, or whatever you use usually)

    If you use modules you will also:

    make modules
    make modules_install
     

  5. Do a make under the ipacct source directory.


    6. make
     

  6. Do a make install and a make install.man, too. This will install the programs and man pages in the places you specified in MCONFIG.


    7. make install
    make install.man
     

  7. If you want to run ipquota on your system you have to install a line in your rc.local or any other suitable rc file, that starts ipacctd and ipquota at boot time.


    8. echo Starting ipacctd with ipquota...
    /usr/sbin/ipacctd /usr/sbin/ipquota

    If you want to run ipstats add the following:

    echo Starting ipacctd with ipstats...
    /usr/sbin/ipacctd /usr/sbin/ipstats
     

    See the man pages for more information.
     
  8. You should have a running ipacct system, now. If you encountered any problems please report them to me and I'll try to solve them and answer your questions. You can contact me, the current maintainer, Ramses Smeyers rsmeyers@khk.org or the original author, Lars Fenneberg, who can be reached under lf@elemental.net. But please be patient as our time is very limited. Even if you contact the author, I would apreciate a cc: (carbon-copy) to me.
Copyright

This package is Copyright (C) 1994, 1995, 1996 Lars Fenneberg. It is distributed according to the GNU General Public License. Some small parts are Copyright (C) 1995,1996,1999 João Ventura and are also under the GNU GPL.

Send comments, questions, suggestions to:

Ramses Smeyers <rsmeyers@khk.org>