                              IPacct 0.7d Page

              IPAcct - a program to do per user ip accounting

Primary site:		http://www.sin.khk.be/ipacct
Current Maintainer:	Ramses Smeyers (rsmeyers@khk.org)

   News

   15-Nov-1999

   Release of ipacct 0.7e - changes are kernel patches for 2.2.13 and
   2.3.24. (After 4 months of no response from the previous authors,
   i took over this program)

   11-Mar-1999

   Release of IPAcct 0.7d - changes are kernel patches for 2.2x series of
   kernels being added. (Sorry I was about 2 hours late, Goldeneye was on
   TV last night..."We, unlike the US Government, prefer not to hear our
   news from CNN" - M :) )

   10-Mar-1999

   I, Zaheer Merali, am proud to be taking over ipacct (or useripacct as
   version 0.8 will be called). I, on behalf of everyone that is using
   this software, thank Joao for the brainpower, hard work and enthusiasm
   that he breathed into this. I only came across this software recently
   so I probably have no idea, the actual amount of effort he has put in.
   (A big round of applause for Joao).

   I am going to release version 0.7d, with kernel patches for 2.2.0,
   2.2.1, 2.2.2 and 2.2.3, tomorrow ( 11 March 1999) and that will be the
   last release under the name ipacct (and with the version number of
   0.7).

   I have already started on useripacct v 0.8 and have added remote host
   statistics like how Joao wanted to do. 0.8a will "probably" be
   released late this week (Saturday most likely).

   Joao - January/February 1999

   I am sorry to annonce that I think it is time ipacct changed hands. I
   have been unable for the last 2 years to gather enough time to develop
   ipacct as I had planned: support for 2.1.x kernels, support for IP_v6,
   more detailed statistics (user+remote host). This is mostly because I
   finished college, and I no longer use ipacct myself. So, I am now
   looking for a new maintainer, who can take responsability for ipacct
   (soon to be called ipacctuser, to avoid mistakes with the kernel
   ipacct), as a proof that (s)he is capable, I ask only the patch for
   kernels 2.2.x. Please apply.....


   Description

   IPacct 0.7c introduces a new policy mechanism that provides per user
   IP statistics, that is, it just provides the user's IP usage. A user
   must be allowed to have IP, and a program is provided to control
   access to the IP level.

   This package adds per user ip accounting to the kernel and contains
   programs to control and use this accounting data.

   Fist of all it consists of a kernel patch which adds per user ip
   accounting to the kernel. The kernel patch accounts all bytes sent or
   received on the ip level, i.e. all headers get accounted including the
   ip header itself. This data is exported via the proc filesystem.
   Moreover the patch allows to control the ip access on a per user
   basis. Furthermore it is possible to specify a weight for ip
   addresses. This weight controls how much every byte costs that is
   transfered from or to this ip addresses. With this weight/cost set to
   zero you can ignore certain host or networks completely from the
   statistics which might be convenient for the local network. The cost
   can be different for different ip addresses.

   Second, there's a program for controlling and viewing the
   weights/costs and the accounting data produced by the kernel. With it
   you can modify the weight table in a manner very similar to the syntax
   of the route program.

   Please note the following, IPacct is unable to correctly account PPP
   users, because these use the PPP daemon as a gateway. The packets in a
   PPP connection are being accounted to the PPP daemon UID. In order to
   correctly account these packets, it would be necessary to alter the
   PPP daemon.
   If you want to account PPP, take a look at net-acct-0.4.tar.gz. This
   tool allows you to account the traffic on SLIP/PPP connections, but
   not on Ethernet connections. You won't be able to deny access, though.


   Example Output (Screenshots :) )

  (outdated) example output of ipacct

        User       Sent       Received     Flags
        root       401364     401421
        news       2143       2210
        lf         221462     348287
        joe        1036475    2793743      N
        guest      65432734   43462382     N
        nobody     34323      23791

   In this example you see how much traffic every user produced since the
   last reset of the statistics. You can also see that further net access
   is denied of joe and for guest.

  (outdated) example output of a weight table (ipacct -w)

        Addr            Mask            Weight
        192.0.2.24      255.255.255.255 1
        192.0.2.0       255.255.255.0   0
        default         *               1

   This weight table says that access to the host 192.0.2.24 is accounted
   with a costs of one per byte. Access to all other hosts of the net
   192.0.2.0 is ignored (weight/cost 0). And access to all other hosts on
   the internet is accounted with a costs of one.

   Third, a program named ipacctd creates an interface to your own
   accounting program. It reads the kernel ip statistics every specified
   interval and passes to data to a user supplied program like ipquota
   (see below). But you can also impose your own ip accounting policy by
   writing your own program or shell script for recording and analyzing
   the produced data.

   And fourth, there is ipquota which is a package of itself. If used
   with ipacctd it can impose ip quotas on certain users. These quotas
   can be easily changed and viewed. Furthermore ipquota uses the feature
   of the ipacct kernel patch to control access to the net: if a user
   exceeds his quota he is denied further net access excluding access to
   hosts and networks which are recorded with a weight/cost of zero in
   the kernel. There's a program included which is used to create a
   low-rate/high-rate system (much like the phone system), using ipacct's
   feature of a weight table. Thanks to Carlos Soares for this program.
   There is also an alternative to ipquota, called ipstats which provides
   accounting capabilities, but does not impose a quota, generating only
   IP traffic statistics.


   Installation

    1. Take a look at the file MCONFIG in the source directory where you
       unpacked ipacct. Normally you shouldn't have to change anything.
       If you don't have a directory /var/log change the reference in
       MCONFIG to something else, e.g. /var/adm, but please consider
       reading the FSSTND v1.2 document where a standard Linux filesystem
       is described. Maybe you have to change the value of NOBODY, but
       only if the binaries are to be used in a system with different UID
       for user nobody.
       more MCONFIG
       (vi/joe/emacs MCONFIG)
    2. Do a make patches under the ipacct source directory. This creates
       the kernel patches with the changes you made in MCONFIG.
       make patches
    3. Go into the patches directory and choose a suitable patch for your
       kernel. There are some old patches under patches/OLD which should
       work with older kernels, but I don't recommend using them. Instead
       upgrade to a 2.2.x version of the kernel. If Linus really means
       that 2.2 is a stable version, this patch should work with very
       minor changes to all the 2.2 series.
    4. Now change your directory to the parent of the Linux kernel source
       tree you want to patch for use with ipacct and apply the patch.
       Read the patch man page, if you don't know what the options mean.
       cd /usr/src
       patch -p0 -s < patch.linux-2.2.13

       If this doesn't work, try (conflicting path names)
		cd /usr/src/linux
		patch -p1 -s < patch.linux-2.2.13

    5. You can recompile your kernel, now. But don't forget to activate
       the ipacct kernel extensions by answering yes to the "Per user IP
       accounting" question while doing the make config. Make sure that
       your links under /usr/include are right and that they point to the
       kernel tree you patched for the use with ipacct. Normally this is
       a link from /usr/include/linux and /usr/include/asm to
       /usr/src/linux/include/linux and /usr/src/linux/include/asm
       respectively.
       make config (try make menuconfig)
       make dep
       make clean
       make zImage (or make zlilo, or whatever you use usually)
       If you use modules you will also:
       make modules
       make modules_install
    6. Do a make under the ipacct source directory.
       make
    7. Do a make install and a make install.man, too. This will install
       the programs and man pages in the places you specified in MCONFIG.
       make install
       make install.man
    8. If you want to run ipquota on your system you have to install a
       line in your rc.local or any other suitable rc file, that starts
       ipacctd and ipquota at boot time.
       echo Starting ipacctd with ipquota...
       /usr/sbin/ipacctd /usr/sbin/ipquota
       If you want to run ipstats add the following:
       echo Starting ipacctd with ipstats...
       /usr/sbin/ipacctd /usr/sbin/ipstats
    9.
          + ipquota:
            Now you can add user to the accounting file with the ipadd
            command.
            /usr/sbin/ipadd username 1024000
            Or display the ip quota of a user.
            /usr/bin/sayip username
          + ipstats:
            Now you can allow access to a user with the ipallow command.
            /usr/sbin/ipallow -a username
       See the man pages for more information.
   10. You should have a running ipacct system, now. If you encountered
       any problems please report them to me and I'll try to solve them
       and answer your questions. You can contact me, the current
       maintainer, Ramses Smeyers or the original author, Lars Fenneberg,
       who can be reached under lf@elemental.net. But please be patient
       as our time is very limited. Even if you contact the author, I
       would apreciate a cc: (carbon-copy) to me.

   Copyright

   This package is Copyright (C) 1994, 1995, 1996 Lars Fenneberg. It is
   distributed according to the GNU General Public License. Some small
   parts are Copyright (C) 1995,1996,1999 Joao Ventura and are also under
   the GNU GPL.
