#!/bin/bash
# -*- sh -*-
: <<=cut

=head1 NAME

accounting_ - Wildcard-plugin for tcp, udp and icmp traffic-accounting (IPv4 or IPv6) through iptables.

=head1 CONFIGURATION

This plugin needs to be run as root for iptables to work.
  [accounting_*]
    user root

=head2 ENVIRONMENT VARIABLES

This plugin does not use environment variables.

=head2 WILDCARD PLUGIN

This is a wildcard plugin.  To monitor traffic going through your iptables,link
accounting_<ipv4|ipv6>_<accountingname> to this file.

For example,
  ln -s /opt/munin/lib/plugins/accounting_ /etc/opt/munin/plugins/accounting_ipv4_subnet1

will monitor the tcp, udp and icmp traffic for the accounting named subnet1.


=head2 IPTABLES

You will need to set up iptables rules to create packet counters for
incoming and outgoing traffic.  The examples here cover how to create
the rules. Add these lines at the top of your firewall-script.

=head3 Accounting for single ip

If you want to monitor the traffic from the IP 192.168.0.1, you need to add the following
lines (replace iptables with ip6tables if needed):
  iptables -I INPUT -d 192.168.0.1 -p icmp -m comment --comment ACCT-accountingname-icmp-in
  iptables -I INPUT -d 192.168.0.1 -p udp -m comment --comment ACCT-accountingname-udp-in
  iptables -I INPUT -d 192.168.0.1 -p tcp -m comment --comment ACCT-accountingname-tcp-in
  iptables -I OUTPUT -s 192.168.0.1 -p icmp -m comment --comment ACCT-accountingname-icmp-out
  iptables -I OUTPUT -s 192.168.0.1 -p udp -m comment --comment ACCT-accountingname-udp-out
  iptables -I OUTPUT -s 192.168.0.1 -p tcp -m comment --comment ACCT-accountingname-tcp-out

Only the IP itself (192.168.0.1) and the accounting-name (accountingname) need to be replaced by your values.
 iptables -I <INPUT|OUTPUT> -d <yourip> -p <tcp|udp|icmp> -m comment --comment ACCT-<yourname>-<tcp|udp|icmp>-in

Then add the plugin to your munin configuration:
  ln -s /opt/munin/lib/plugins/accounting_ /etc/opt/munin/plugins/accounting_ipv4_accountingname


=head3 Accounting for subnets

If you want to monitor the traffic from the subnet 192.168.0.1/24, you need to add the following
lines (replace iptables with ip6tables if needed):

  iptables -I INPUT -d 192.168.0.1/24 -p icmp -m comment --comment ACCT-subnet1-icmp-in
  iptables -I INPUT -d 192.168.0.1/24 -p udp -m comment --comment ACCT-subnet1-udp-in
  iptables -I INPUT -d 192.168.0.1/24 -p tcp -m comment --comment ACCT-subnet1-tcp-in
  iptables -I OUTPUT -s 192.168.0.1/24 -p icmp -m comment --comment ACCT-subnet1-icmp-out
  iptables -I OUTPUT -s 192.168.0.1/24 -p udp -m comment --comment ACCT-subnet1-udp-out
  iptables -I OUTPUT -s 192.168.0.1/24 -p tcp -m comment --comment ACCT-subnet1-tcp-out

Then add the plugin to your munin configuration:
  ln -s /opt/munin/lib/plugins/accounting_ /etc/opt/munin/plugins/accounting_ipv4_subnet1

=head1 BUGS

Accounting-names should not contain underline "_" in the name. So instead of "This_Is_A_Cool_Name" use "This-Is-A-Cool-Name".

=head1 NOTES

This plugin is based on the ip_ plugin.

=head1 MAGIC MARKERS

  #%# family=auto
  #%# capabilities=autoconf suggest

=head1 VERSION

1.0

=head1 HISTORY

2013-06-29: initial release

=head1 AUTHOR

Thomas Frey <thomas.frey-munin@hugga.org>

=head1 LICENSE

GPLv2

=cut


PARAM=${0##*accounting_}
SUBCHAIN=$(echo $PARAM | cut -d '_' -f 2)
PROTO=$(echo $PARAM | cut -d '_' -f 1)

if [ $PROTO = "ipv4" ]; then
  IPTABLES="/sbin/iptables"
elif [ $PROTO == "ipv6" ]; then
  IPTABLES="/sbin/ip6tables"
else
  echo "Configuration error: invalid protocol name: not ipv4 or ipv6."
  echo "Use accounting_<ipv4|ipv6>_accountingname."
	exit 1
fi


if [ "$1" == "autoconf" ]; then
	if [ -r /proc/net/dev ]; then
		$IPTABLES -L INPUT -v -n -x >/dev/null 2>/dev/null
			if [ $? -gt 0 ]; then
				echo "no (could not run iptables as user `whoami`)"
				exit 1
			else
				echo yes
			exit 0
		fi
	else
		echo "no (/proc/net/dev not found)"
		exit 1
	fi
fi

if [ "$1" = "suggest" ]; then

	if [ $PROTO = "ipv4" ]; then
	  $IPTABLES -L INPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p'
  	$IPTABLES -L OUTPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv4_\1/p'
	elif [ $PROTO == "ipv6" ]; then
	  $IPTABLES -L INPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p'
	  $IPTABLES -L OUTPUT -v -x -n 2>/dev/null | sed -n 's/^.*\/\* ACCT\-\([a-zA-Z\-]*\) \*\/.*$/\ipv6_\1/p'
	fi

	exit 0
fi


if [ "$1" = "config" ]; then

	echo 'multigraph '${0##*/}'_in'
	echo 'graph_title '$SUBCHAIN' traffic incoming ('$PROTO')'
	echo 'graph_args --base 1024 -l 0'
	echo 'graph_vlabel bytes per ${graph_period}'
	echo 'graph_order tcpIN udpIN icmpIN'
	echo 'graph_category accounting'
	echo 'tcpIN.label tcp received'
  echo 'tcpIN.cdef tcpIN,8,*'
	echo 'tcpIN.type DERIVE'
  echo 'tcpIN.draw AREA'
	echo 'tcpIN.min 0'
  echo 'udpIN.label udp received'
  echo 'udpIN.cdef udpIN,8,*'
  echo 'udpIN.type DERIVE'
  echo 'udpIN.draw STACK'
  echo 'udpIN.min 0'
  echo 'icmpIN.label icmp received'
  echo 'icmpIN.cdef icmpIN,8,*'
  echo 'icmpIN.type DERIVE'
  echo 'icmpIN.draw STACK'
  echo 'icmpIN.min 0'

  echo 'multigraph '${0##*/}'_out'
  echo 'graph_title '$SUBCHAIN' traffic outgoing ('$PROTO')'
  echo 'graph_args --base 1024 -l 0'
  echo 'graph_vlabel bytes per ${graph_period}'
  echo 'graph_order tcpOUT udpOUT icmpOUT'
  echo 'graph_category accounting'
  echo 'tcpOUT.label tcp sent'
  echo 'tcpOUT.cdef tcpOUT,8,*'
  echo 'tcpOUT.type DERIVE'
  echo 'tcpOUT.draw AREA'
  echo 'tcpOUT.min 0'
  echo 'udpOUT.label udp sent'
  echo 'udpOUT.cdef udpOUT,8,*'
  echo 'udpOUT.type DERIVE'
  echo 'udpOUT.draw STACK'
  echo 'udpOUT.min 0'
  echo 'icmpOUT.label icmp sent'
  echo 'icmpOUT.cdef icmpOUT,8,*'
  echo 'icmpOUT.type DERIVE'
  echo 'icmpOUT.draw STACK'
  echo 'icmpOUT.min 0'
	exit 0
fi;

echo 'multigraph '${0##*/}'_in'
$IPTABLES -L INPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-tcp\-in \*\/" | tr -s '*' '-' | awk "{ print \"tcpIN.value \" \$2 }"
$IPTABLES -L INPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-udp\-in \*\/" | tr -s '*' '-' | awk "{ print \"udpIN.value \" \$2 }"
$IPTABLES -L INPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-icmp\-in \*\/" | tr -s '*' '-' | awk "{ print \"icmpIN.value \" \$2 }"
echo
echo 'multigraph '${0##*/}'_out'
$IPTABLES -L OUTPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-tcp\-out \*\/" | tr -s '*' '-' | awk "{ print \"tcpOUT.value \" \$2 }"
$IPTABLES -L OUTPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-udp\-out \*\/" | tr -s '*' '-' | awk "{ print \"udpOUT.value \" \$2 }"
$IPTABLES -L OUTPUT -v -n -x | grep  "\/\* ACCT\-"$SUBCHAIN"\-icmp\-out \*\/" | tr -s '*' '-' | awk "{ print \"icmpOUT.value \" \$2 }"

