`iptables_exporter`

An asynchronous Prometheus exporter for iptables

iptables_exporter runs iptables-save --counter and scrapes the output to build Prometheus metrics. Because iptables-save requires root privileges, this tool must be run as root (or via sudo) or with the following capabilities in both the ambient and bounding set:

CAP_DAC_READ_SEARCH
CAP_NET_ADMIN
CAP_NET_RAW

Metrics Provided

Total number of bytes per chain/table/policy
Total number of bytes matched per rule/chain/table
Total number of packets per chain/table/policy
Total number of packets matched per rule/chain/table
Total number of rules per chain/table
Total number of chains per table
Scrape duration in milliseconds
Scrape success

Installation

iptables_exporter is a single binary that must be placed somewhere in your $PATH. One can either download 64-bit Linux binaries from the Release Page or one can also compile from source.

Compile from Source

Ensure you have a Rust toolchain installed. Some of the dependencies also require gcc to be installed.

$ git clone https://github.com/kbknapp/iptables_exporter
$ cd iptables_exporter
$ cargo build --release
$ sudo cp target/release/iptables_exporter /usr/local/bin/

Usage

Command Line Interface

USAGE:
    iptables_exporter [FLAGS] [OPTIONS]

FLAGS:
    -h, --help       Prints help information
    -q, --quiet      Supress output at a level or lower. -q: INFO, -qq: WARN, -qqq: ERROR (i.e.
                     everything)
    -v, --verbose    Show verbose output at a level or higher. -v:  DEBUG, -vv: TRACE
    -V, --version    Prints version information

OPTIONS:
        --collect-interval     How often metrics are gathered [default: 5]
    -l, --listen-address       The listen address scraping metrics [default: 0.0.0.0]
    -p, --listen-port          The listen port for scraping metrics [default: 9455]

To run with the default options, and the binary is installed somewhere in your $PATH:

$ sudo iptables_exporter

Prometheus Configuration

You can add the following scrape configs to Prometheus:

scrape_configs:
  - job_name: 'iptables'
    static_configs:
    - targets:
      - 'localhost:9455'
      - 'other_host:9455'

    relabel_configs:
    - source_labels: [ '__address__' ]
      regex: '(.*):\d+'
      target_label: instance

Example Metrics

# HELP iptables_chain_bytes_total Total bytes flowing through a given chain
# TYPE iptables_chain_bytes_total counter
iptables_chain_bytes_total{chain="DOCKER",policy="ACCEPT",table="filter"} 0
iptables_chain_bytes_total{chain="DOCKER",policy="ACCEPT",table="nat"} 0
iptables_chain_bytes_total{chain="DOCKER-ISOLATION-STAGE-1",policy="ACCEPT",table="filter"} 0
iptables_chain_bytes_total{chain="DOCKER-ISOLATION-STAGE-2",policy="ACCEPT",table="filter"} 0
iptables_chain_bytes_total{chain="FORWARD",policy="ACCEPT",table="filter"} 0
iptables_chain_bytes_total{chain="FORWARD",policy="ACCEPT",table="mangle"} 0
iptables_chain_bytes_total{chain="FORWARD",policy="ACCEPT",table="security"} 0
iptables_chain_bytes_total{chain="INPUT",policy="ACCEPT",table="filter"} 1243840979
iptables_chain_bytes_total{chain="INPUT",policy="ACCEPT",table="mangle"} 1291467136
iptables_chain_bytes_total{chain="INPUT",policy="ACCEPT",table="nat"} 16724
iptables_chain_bytes_total{chain="INPUT",policy="ACCEPT",table="security"} 1291121184
iptables_chain_bytes_total{chain="LIBVIRT_FWI",policy="ACCEPT",table="filter"} 0
iptables_chain_bytes_total{chain="LIBVIRT_FWO",policy="ACCEPT",table="filter"} 0
iptables_chain_bytes_total{chain="LIBVIRT_FWX",policy="ACCEPT",table="filter"} 0
iptables_chain_bytes_total{chain="LIBVIRT_INP",policy="ACCEPT",table="filter"} 0
iptables_chain_bytes_total{chain="LIBVIRT_OUT",policy="ACCEPT",table="filter"} 0
iptables_chain_bytes_total{chain="LIBVIRT_PRT",policy="ACCEPT",table="mangle"} 0
iptables_chain_bytes_total{chain="LIBVIRT_PRT",policy="ACCEPT",table="nat"} 0
iptables_chain_bytes_total{chain="OUTPUT",policy="ACCEPT",table="filter"} 639197815
iptables_chain_bytes_total{chain="OUTPUT",policy="ACCEPT",table="mangle"} 652390274
iptables_chain_bytes_total{chain="OUTPUT",policy="ACCEPT",table="nat"} 49151
iptables_chain_bytes_total{chain="OUTPUT",policy="ACCEPT",table="raw"} 652399242
iptables_chain_bytes_total{chain="OUTPUT",policy="ACCEPT",table="security"} 652399242
iptables_chain_bytes_total{chain="POSTROUTING",policy="ACCEPT",table="mangle"} 652416550
iptables_chain_bytes_total{chain="POSTROUTING",policy="ACCEPT",table="nat"} 220031
iptables_chain_bytes_total{chain="PREROUTING",policy="ACCEPT",table="mangle"} 1291467136
iptables_chain_bytes_total{chain="PREROUTING",policy="ACCEPT",table="nat"} 343629
iptables_chain_bytes_total{chain="PREROUTING",policy="ACCEPT",table="raw"} 1291476956
iptables_chain_bytes_total{chain="sshuttle-12300",policy="ACCEPT",table="nat"} 0
# HELP iptables_chain_packets_total Total packets flowing through a given chain
# TYPE iptables_chain_packets_total counter
iptables_chain_packets_total{chain="DOCKER",policy="ACCEPT",table="filter"} 0
iptables_chain_packets_total{chain="DOCKER",policy="ACCEPT",table="nat"} 0
iptables_chain_packets_total{chain="DOCKER-ISOLATION-STAGE-1",policy="ACCEPT",table="filter"} 0
iptables_chain_packets_total{chain="DOCKER-ISOLATION-STAGE-2",policy="ACCEPT",table="filter"} 0
iptables_chain_packets_total{chain="FORWARD",policy="ACCEPT",table="filter"} 0
iptables_chain_packets_total{chain="FORWARD",policy="ACCEPT",table="mangle"} 0
iptables_chain_packets_total{chain="FORWARD",policy="ACCEPT",table="security"} 0
iptables_chain_packets_total{chain="INPUT",policy="ACCEPT",table="filter"} 1243840979
iptables_chain_packets_total{chain="INPUT",policy="ACCEPT",table="mangle"} 1291467136
iptables_chain_packets_total{chain="INPUT",policy="ACCEPT",table="nat"} 16724
iptables_chain_packets_total{chain="INPUT",policy="ACCEPT",table="security"} 1291121184
iptables_chain_packets_total{chain="LIBVIRT_FWI",policy="ACCEPT",table="filter"} 0
iptables_chain_packets_total{chain="LIBVIRT_FWO",policy="ACCEPT",table="filter"} 0
iptables_chain_packets_total{chain="LIBVIRT_FWX",policy="ACCEPT",table="filter"} 0
iptables_chain_packets_total{chain="LIBVIRT_INP",policy="ACCEPT",table="filter"} 0
iptables_chain_packets_total{chain="LIBVIRT_OUT",policy="ACCEPT",table="filter"} 0
iptables_chain_packets_total{chain="LIBVIRT_PRT",policy="ACCEPT",table="mangle"} 0
iptables_chain_packets_total{chain="LIBVIRT_PRT",policy="ACCEPT",table="nat"} 0
iptables_chain_packets_total{chain="OUTPUT",policy="ACCEPT",table="filter"} 639197815
iptables_chain_packets_total{chain="OUTPUT",policy="ACCEPT",table="mangle"} 652390274
iptables_chain_packets_total{chain="OUTPUT",policy="ACCEPT",table="nat"} 49151
iptables_chain_packets_total{chain="OUTPUT",policy="ACCEPT",table="raw"} 652399242
iptables_chain_packets_total{chain="OUTPUT",policy="ACCEPT",table="security"} 652399242
iptables_chain_packets_total{chain="POSTROUTING",policy="ACCEPT",table="mangle"} 652416550
iptables_chain_packets_total{chain="POSTROUTING",policy="ACCEPT",table="nat"} 220031
iptables_chain_packets_total{chain="PREROUTING",policy="ACCEPT",table="mangle"} 1291467136
iptables_chain_packets_total{chain="PREROUTING",policy="ACCEPT",table="nat"} 343629
iptables_chain_packets_total{chain="PREROUTING",policy="ACCEPT",table="raw"} 1291476956
iptables_chain_packets_total{chain="sshuttle-12300",policy="ACCEPT",table="nat"} 0
# HELP iptables_chains_total Total number of chains in a table
# TYPE iptables_chains_total gauge
iptables_chains_total{table="filter"} 11
iptables_chains_total{table="mangle"} 6
iptables_chains_total{table="nat"} 7
iptables_chains_total{table="raw"} 2
iptables_chains_total{table="security"} 3
# HELP iptables_rule_bytes_total Total bytes matching a given rule
# TYPE iptables_rule_bytes_total counter
iptables_rule_bytes_total{chain="DOCKER",rule="-i docker0 -j RETURN",table="nat"} 0
iptables_rule_bytes_total{chain="DOCKER-ISOLATION-STAGE-1",rule="-j RETURN",table="filter"} 0
iptables_rule_bytes_total{chain="DOCKER-ISOLATION-STAGE-2",rule="-j RETURN",table="filter"} 0
iptables_rule_bytes_total{chain="FORWARD",rule="-i docker0 ! -o docker0 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="FORWARD",rule="-i docker0 -o docker0 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="FORWARD",rule="-j LIBVIRT_FWI",table="filter"} 0
iptables_rule_bytes_total{chain="FORWARD",rule="-j LIBVIRT_FWO",table="filter"} 0
iptables_rule_bytes_total{chain="FORWARD",rule="-j LIBVIRT_FWX",table="filter"} 0
iptables_rule_bytes_total{chain="INPUT",rule="-j LIBVIRT_INP",table="filter"} 1291467196
iptables_rule_bytes_total{chain="LIBVIRT_FWI",rule="-d 192.168.84.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_FWI",rule="-o virbr0 -j REJECT --reject-with icmp-port-unreachable",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_FWO",rule="-i virbr0 -j REJECT --reject-with icmp-port-unreachable",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_FWO",rule="-s 192.168.84.0/24 -i virbr0 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_FWX",rule="-i virbr0 -o virbr0 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_INP",rule="-i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_INP",rule="-i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_INP",rule="-i virbr0 -p udp -m udp --dport 53 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_INP",rule="-i virbr0 -p udp -m udp --dport 67 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_OUT",rule="-o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_OUT",rule="-o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_OUT",rule="-o virbr0 -p udp -m udp --dport 53 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_OUT",rule="-o virbr0 -p udp -m udp --dport 68 -j ACCEPT",table="filter"} 0
iptables_rule_bytes_total{chain="LIBVIRT_PRT",rule="-o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill",table="mangle"} 0
iptables_rule_bytes_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -j MASQUERADE",table="nat"} 0
iptables_rule_bytes_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535",table="nat"} 0
iptables_rule_bytes_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535",table="nat"} 0
iptables_rule_bytes_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 -d 224.0.0.0/24 -j RETURN",table="nat"} 167
iptables_rule_bytes_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 -d 255.255.255.255/32 -j RETURN",table="nat"} 0
iptables_rule_bytes_total{chain="OUTPUT",rule="-j LIBVIRT_OUT",table="filter"} 652390620
iptables_rule_bytes_total{chain="OUTPUT",rule="-j sshuttle-12300",table="nat"} 250545
iptables_rule_bytes_total{chain="POSTROUTING",rule="-j LIBVIRT_PRT",table="mangle"} 652416896
iptables_rule_bytes_total{chain="POSTROUTING",rule="-j LIBVIRT_PRT",table="nat"} 274670
iptables_rule_bytes_total{chain="POSTROUTING",rule="-s 172.17.0.0/16 ! -o docker0 -j MASQUERADE",table="nat"} 0
iptables_rule_bytes_total{chain="PREROUTING",rule="-j sshuttle-12300",table="nat"} 350113
iptables_rule_bytes_total{chain="sshuttle-12300",rule="-d 127.0.0.1/32 -p tcp -j RETURN",table="nat"} 0
iptables_rule_bytes_total{chain="sshuttle-12300",rule="-m addrtype --dst-type LOCAL -j RETURN",table="nat"} 13654
iptables_rule_bytes_total{chain="sshuttle-12300",rule="-m ttl --ttl-eq 63 -j RETURN",table="nat"} 0
iptables_rule_bytes_total{chain="sshuttle-12300",rule="-p tcp -j REDIRECT --to-ports 12300",table="nat"} 183900
# HELP iptables_rule_packets_total Total packets matching a given rule
# TYPE iptables_rule_packets_total counter
iptables_rule_packets_total{chain="DOCKER",rule="-i docker0 -j RETURN",table="nat"} 0
iptables_rule_packets_total{chain="DOCKER-ISOLATION-STAGE-1",rule="-j RETURN",table="filter"} 0
iptables_rule_packets_total{chain="DOCKER-ISOLATION-STAGE-2",rule="-j RETURN",table="filter"} 0
iptables_rule_packets_total{chain="FORWARD",rule="-i docker0 ! -o docker0 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="FORWARD",rule="-i docker0 -o docker0 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="FORWARD",rule="-j LIBVIRT_FWI",table="filter"} 0
iptables_rule_packets_total{chain="FORWARD",rule="-j LIBVIRT_FWO",table="filter"} 0
iptables_rule_packets_total{chain="FORWARD",rule="-j LIBVIRT_FWX",table="filter"} 0
iptables_rule_packets_total{chain="INPUT",rule="-j LIBVIRT_INP",table="filter"} 1128660
iptables_rule_packets_total{chain="LIBVIRT_FWI",rule="-d 192.168.84.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_FWI",rule="-o virbr0 -j REJECT --reject-with icmp-port-unreachable",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_FWO",rule="-i virbr0 -j REJECT --reject-with icmp-port-unreachable",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_FWO",rule="-s 192.168.84.0/24 -i virbr0 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_FWX",rule="-i virbr0 -o virbr0 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_INP",rule="-i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_INP",rule="-i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_INP",rule="-i virbr0 -p udp -m udp --dport 53 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_INP",rule="-i virbr0 -p udp -m udp --dport 67 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_OUT",rule="-o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_OUT",rule="-o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_OUT",rule="-o virbr0 -p udp -m udp --dport 53 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_OUT",rule="-o virbr0 -p udp -m udp --dport 68 -j ACCEPT",table="filter"} 0
iptables_rule_packets_total{chain="LIBVIRT_PRT",rule="-o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill",table="mangle"} 0
iptables_rule_packets_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -j MASQUERADE",table="nat"} 0
iptables_rule_packets_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535",table="nat"} 0
iptables_rule_packets_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535",table="nat"} 0
iptables_rule_packets_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 -d 224.0.0.0/24 -j RETURN",table="nat"} 2
iptables_rule_packets_total{chain="LIBVIRT_PRT",rule="-s 192.168.84.0/24 -d 255.255.255.255/32 -j RETURN",table="nat"} 0
iptables_rule_packets_total{chain="OUTPUT",rule="-j LIBVIRT_OUT",table="filter"} 988683
iptables_rule_packets_total{chain="OUTPUT",rule="-j sshuttle-12300",table="nat"} 3804
iptables_rule_packets_total{chain="POSTROUTING",rule="-j LIBVIRT_PRT",table="mangle"} 988827
iptables_rule_packets_total{chain="POSTROUTING",rule="-j LIBVIRT_PRT",table="nat"} 4020
iptables_rule_packets_total{chain="POSTROUTING",rule="-s 172.17.0.0/16 ! -o docker0 -j MASQUERADE",table="nat"} 0
iptables_rule_packets_total{chain="PREROUTING",rule="-j sshuttle-12300",table="nat"} 3190
iptables_rule_packets_total{chain="sshuttle-12300",rule="-d 127.0.0.1/32 -p tcp -j RETURN",table="nat"} 0
iptables_rule_packets_total{chain="sshuttle-12300",rule="-m addrtype --dst-type LOCAL -j RETURN",table="nat"} 204
iptables_rule_packets_total{chain="sshuttle-12300",rule="-m ttl --ttl-eq 63 -j RETURN",table="nat"} 0
iptables_rule_packets_total{chain="sshuttle-12300",rule="-p tcp -j REDIRECT --to-ports 12300",table="nat"} 3065
# HELP iptables_rules_total Total number of rules in a chain in a table
# TYPE iptables_rules_total gauge
iptables_rules_total{chain="DOCKER",table="filter"} 0
iptables_rules_total{chain="DOCKER",table="nat"} 1
iptables_rules_total{chain="DOCKER-ISOLATION-STAGE-1",table="filter"} 1
iptables_rules_total{chain="DOCKER-ISOLATION-STAGE-2",table="filter"} 1
iptables_rules_total{chain="FORWARD",table="filter"} 5
iptables_rules_total{chain="FORWARD",table="mangle"} 0
iptables_rules_total{chain="FORWARD",table="security"} 0
iptables_rules_total{chain="INPUT",table="filter"} 1
iptables_rules_total{chain="INPUT",table="mangle"} 0
iptables_rules_total{chain="INPUT",table="nat"} 0
iptables_rules_total{chain="INPUT",table="security"} 0
iptables_rules_total{chain="LIBVIRT_FWI",table="filter"} 2
iptables_rules_total{chain="LIBVIRT_FWO",table="filter"} 2
iptables_rules_total{chain="LIBVIRT_FWX",table="filter"} 1
iptables_rules_total{chain="LIBVIRT_INP",table="filter"} 4
iptables_rules_total{chain="LIBVIRT_OUT",table="filter"} 4
iptables_rules_total{chain="LIBVIRT_PRT",table="mangle"} 1
iptables_rules_total{chain="LIBVIRT_PRT",table="nat"} 5
iptables_rules_total{chain="OUTPUT",table="filter"} 1
iptables_rules_total{chain="OUTPUT",table="mangle"} 0
iptables_rules_total{chain="OUTPUT",table="nat"} 1
iptables_rules_total{chain="OUTPUT",table="raw"} 0
iptables_rules_total{chain="OUTPUT",table="security"} 0
iptables_rules_total{chain="POSTROUTING",table="mangle"} 1
iptables_rules_total{chain="POSTROUTING",table="nat"} 2
iptables_rules_total{chain="PREROUTING",table="mangle"} 0
iptables_rules_total{chain="PREROUTING",table="nat"} 1
iptables_rules_total{chain="PREROUTING",table="raw"} 0
iptables_rules_total{chain="sshuttle-12300",table="nat"} 4
# HELP iptables_scrape_duration_milliseconds Duration in milliseconds of the scrape
# TYPE iptables_scrape_duration_milliseconds gauge
iptables_scrape_duration_milliseconds 2
# HELP iptables_scrape_success If the scrape was a success
# TYPE iptables_scrape_success gauge
iptables_scrape_success 1

License

This project is dual licensed under the terms of either the MIT or Apache 2.0 at your option.

Hi @kbknapp , and thanks for maintaining this Prometheus exporter :wave:

For those of us who have yet to migrate to nftables to manage network routing, we may end up in a situation where:

part of the routing is managed through iptables / nftables (e.g. when using fail2ban)
part of the routing is managed through iptables-legacy (e.g. when using a frontend such as Ferm or Shorewall)

Reference:

https://wiki.nftables.org/wiki-nftables/index.php/Adoption
https://wiki.debian.org/iptables (I noticed the "loss" of the metrics while migrating Debian hosts from Buster to Bullseye)

For such situations, it would be convenient to be able to gather and expose metrics for rules managed by both iptables and iptables-legacy.

This could be implemented by adding a --legacy or --iptables-legacy boolean flag, and either:

running two instances of the exporter, and defining two separate Prometheus scrape jobs
running a single instance of the exporter, and prefixing legacy metrics with iptables_legacy_

Both approaches may be:

brittle, as administrators may choose to disable nftables usage and re-alias iptables commands to their iptables-legacy counterparts (e.g. as shown in Debian docs)
of limited use in time, as people are likely to migrate their configuration to nftables (or any suitable frontend)

Please let me know if there is interest in adding such a feature to the exporter, and which of the approaches mentioned above would be preferred so I can submit a PR with the corresponding changes :)

(As a quick fix, I'm running two instances of a custom version of the exporter built from https://github.com/virtualtam/iptables_exporter/tree/wip/iptables-legacy to expose metrics for both backends)

help wanted

Easily add metrics to your system -- and actually understand them using automatically customized Prometheus queries

A Rust macro that makes it easy to understand the error rate, response time, and production usage of any function in your code. Jump from your IDE to

462 Mar 6, 2023

A minimal, allocation-free Prometheus/OpenMetrics metrics implementation for `no-std` and embedded Rust.

tinymetrics a minimal, allocation-free Prometheus/OpenMetrics metrics implementation for no-std and embedded projects. why should you use it? you may

282 Apr 16, 2023

Parse, edit and merge Prometheus metrics exposition format

promerge Promerge provides minimalistic and easy to use API to parse and manipulate Prometheus metrics. A simple usecase could be collecting metrics f

4 Aug 12, 2023

🔍 Fully-featured metrics collection agent for First Tech Challenge competitions. Supports Prometheus.

Scout Scout is a fully-featured free and open source metrics collector for FTC competitions. The project is licensed under the GNU LGPLv3 license. Fea

3 Oct 24, 2023

A runtime for writing reliable asynchronous applications with Rust. Provides I/O, networking, scheduling, timers, ...

Tokio A runtime for writing reliable, asynchronous, and slim applications with the Rust programming language. It is: Fast: Tokio's zero-cost abstracti

18.7k Dec 30, 2022

BLEZ - Asynchronous Bluetooth Low Energy on Linux for Rust

BLEZ - Asynchronous Bluetooth Low Energy on Linux for Rust This library provides an asynchronous, fully featured interface to the Bluetooth Low Energy

40 Oct 21, 2021

General-purpose asynchronous socket stream.

async-socket This crate implements a general-purpose asynchronous socket. The Socket implements AsyncRead, AsyncWrite, Stream and Clone traits and thu

3 Oct 20, 2021

Asynchronous Linux SocketCAN - Broadcast Manager support (BCM) with tokio

tokio-socketcan-bcm The Broadcast Manager protocol provides a command based configuration interface to filter and send (e.g. cyclic) CAN messages in k

4 Nov 8, 2022

An asynchronous dumb exporter proxy for prometheus. This aggregates all the metrics and exposes as a single scrape endpoint.

A dumb light weight asynchronous exporter proxy This is a dumb lightweight asynchronous exporter proxy that will help to expose multiple application m

3 Dec 4, 2022

Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

294 Dec 23, 2022

EXPERIMENTAL: Bitcoin Core Prometheus exporter based on User-Space, Statically Defined Tracing and eBPF.

bitcoind-observer An experimental Prometheus metric exporter for Bitcoin Core based on Userspace, Statically Defined Tracing and eBPF. This demo is ba

24 Nov 8, 2022

A Prometheus exporter for WireGuard

wireguard_exporter An asynchronous Prometheus exporter for wireguard wireguard_exporter runs wg show [..] and scrapes the output to build Prometheus m

15 Dec 29, 2022

Prometheus exporter that scrapes data in different formats

data-exporter A prometheus exporter that scrapes remote data or local files and converts them to prometheus metrics. It is similar to json_exporter, b

5 Sep 27, 2022

Raspberry Pi's CPU and GPU temperature exporter for Prometheus consumption.

Pi Temperature Exporter A simple application for collecting Raspberry Pi's CPU and GPU temperatures and exporting them for Prometheus consumption. Ins

11 Mar 12, 2023

Rust bindings for iptables

Rust iptables This crate provides bindings for iptables application in Linux (inspired by go-iptables). This crate uses iptables binary to manipulate

63 Nov 17, 2022

Bitcoin PSBT signer, descriptor exporter and more for offline devices.

KeeChain Description KeeChain is a Bitcoin application to transform your offline computer in an AirGap Signing Device (aka Hardware Wallet). Getting s

3 Dec 15, 2022

A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap

rucksack A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap Features Password gene

6 Jan 18, 2023

Druid Exporter plays a fundamental role as a receiver of metrics events coming from Druid clusters, adopting the HTTP format as a means of communication

Druid Exporter plays a fundamental role as a receiver of metrics events coming from Druid clusters, adopting the HTTP format as a means of communication. In addition to this capability, its primary function is to export these metrics to Prometheus, thus allowing the creation of meaningful graphs and visualizations.

3 Sep 21, 2023

Druid Exporter plays a fundamental role as a receiver of metrics events coming from Druid clusters, adopting the HTTP format as a means of communication.

5 Oct 24, 2023

Add support for iptables-legacy
Hi @kbknapp , and thanks for maintaining this Prometheus exporter :wave:

For those of us who have yet to migrate to nftables to manage network routing, we may end up in a situation where:

part of the routing is managed through iptables / nftables (e.g. when using fail2ban)

part of the routing is managed through iptables-legacy (e.g. when using a frontend such as Ferm or Shorewall)

Reference:

https://wiki.nftables.org/wiki-nftables/index.php/Adoption

https://wiki.debian.org/iptables (I noticed the "loss" of the metrics while migrating Debian hosts from Buster to Bullseye)

For such situations, it would be convenient to be able to gather and expose metrics for rules managed by both iptables and iptables-legacy.

This could be implemented by adding a --legacy or --iptables-legacy boolean flag, and either:

running two instances of the exporter, and defining two separate Prometheus scrape jobs

running a single instance of the exporter, and prefixing legacy metrics with iptables_legacy_

Both approaches may be:

brittle, as administrators may choose to disable nftables usage and re-alias iptables commands to their iptables-legacy counterparts (e.g. as shown in Debian docs)

of limited use in time, as people are likely to migrate their configuration to nftables (or any suitable frontend)

Please let me know if there is interest in adding such a feature to the exporter, and which of the approaches mentioned above would be preferred so I can submit a PR with the corresponding changes :)

(As a quick fix, I'm running two instances of a custom version of the exporter built from https://github.com/virtualtam/iptables_exporter/tree/wip/iptables-legacy to expose metrics for both backends)
help wanted
opened by virtualtam 4
add support for iptables-legacy and ip6tables
Adds support for ip{6}tables{-legacy} via the new -t|--scrape-targets CLI flag.

Multiple scrape targets can be enabled at once by using the -t|--scrape-targets flag multiple times. Such as:

$ iptables_exporter -t iptables -t iptables-legacy -t ip6tables

By default only iptables is enabled.

The metrics provided will be prefixed with the various scrape targets, such as iptables_*, iptables_legacy_*, etc.

Closes #3 Closes #4
opened by kbknapp 1
The metrics has iptable rules that no longer exist

Version: v0.1.1 Describe the bug from the metrics，the total number of my iptables rules keeps growing，as shown below，the promql is sum(iptables_rules_total).

I found that the chain of the growing iptables_rules_total metrics is KUBE-NWPLCY*, but I only saw a chain named KUBE-NWPLCY-IYDORQLYDGN26QIB on the machine. I observed this KUBE-NWPLCY* chain on this machine. After a while, this KUBE-NWPLCY* chain will be rebuilt and its name changed. But iptables_exporter added new chain metrics, did not delete the old chain metrics.
When I restarted the iptables-exporter container, the metrics will be consistent with the iptables chain on the machine, but after a period of time, the things described above will be repeated.

Expected behavior The metrics of iptables_exporter are consistent with the real iptables chains on the machine，the non-existent chain on the machine needs to be deleted in iptables-exporter.

opened by 504274990 1
Merge duplicate rules

If one adds multiple duplicate rules to an iptables chain, iptables is fine with that but only the first rule will match any packets/bytes. The way iptables_exporter scrapes these metrics can causes those rules to show zero bytes or zero packets. They should be merged into a single "logical rule."

opened by kbknapp 0

An asynchronous Prometheus exporter for iptables

Related tags

Overview

iptables_exporter