Node_exporter: export iptables metrics

Created on 9 Aug 2017  路  17Comments  路  Source: prometheus/node_exporter

What do you think about adding a collector for iptables?

Interesting metrics at this point for me are:
1) Total number of iptables rules
2) The number of dropped / rejected packets.

Would a PR adding an iptables collector be welcomed ?

accepted enhancement good first issue

Most helpful comment

Sadly, I don't think this is feasible. Having those privileges in the node_exporter is not what we want. I think having a separate isolated iptables exporter is the way to go.

All 17 comments

If this information is available via an unprivileged access method, I think this would be a good idea. Can you link to some documentation about how we can get this information? I assume netlink would be involved?

As Ben mentioned, we impose some restrictions on the native collectors https://github.com/prometheus/node_exporter/blob/master/CONTRIBUTING.md#collector-implementation-guidelines

If it's not possible to collect information without root or spawning new processes, a text_file collector would certainly be accepted.

The only supported way of getting this is via the iptables command running as root.

I know of one way with using iptables. Need to investigate if any other way is possible.

@grobie The link you pointed has this :

Running external commands is not allowed for performance and reliability reasons. Use a dedicated exporter instead or gather the metrics via the textfile collector.

iptables is an external process.
According to the documentation, we cannot spawn iptables to get these firewall metrics.

Looking at the textfile collector doc, should it work like the following ?

Some other job executes the iptables command and generates the iptables-metrics.prom file in the text file dir. The iptables-metrics.prom file contains metrics written out in text format. Then the node_exporter (not sure about that) sends those metrics to prometheus ?

@ahakanbaba Yes, that procedure is how we would recommend doing things. Take a look at our existing examples for hints on how to make one. For example, we use STDOUT rather than a directly writing the metrics file.

Thanks @SuperQ. Should this issue be closed then ? If there will be a separate program to spawn and parse the output of iptables process, I presume that code will not be part of the node_exporter project. It looks like no code changes are necessary to the text file collector implementation.

I'd be fine having that program being part of node_exporter. Whatever works best for you / a contributor in the end. We just should add a link to such program if it lives outside of this repository.

Also keep in mind that reading iptables needs to acquire a lock, so it's very expensive and can take a long time or fail on systems where iptables change a lot (eg. Kubernetes). By running it out of band from the collection you can adjust the frequency and are less sensitive to the time taken.

@ahakanbaba No need to close this issue, we can use it to track the implementation of the textfile utility.

Any word on this? Looking to instrument my own iptables implementation and came across this in my googles. The process that @ahakanbaba outlined sounds like a perfect fit.

@cacack I don't think anyone is working on this, but if you're interested, take a look at the example textfile exporters.

@cacack I have not spent time on this :(

Agree on this being useful. Should be a textfile collector script and as long as we provide them here in the repo, this seems like a good candidate.

See also #1068

Anyone considered borrowing ideas or directly incorporating iptables_exporter into node_exporter? -- Looks like you would need the following capabilities:

  • CAP_DAC_READ_SEARCH
  • CAP_NET_ADMIN
  • CAP_NET_RAW

Sadly, I don't think this is feasible. Having those privileges in the node_exporter is not what we want. I think having a separate isolated iptables exporter is the way to go.

Was this page helpful?
0 / 5 - 0 ratings