Traffic Accounting with Shorewall


Shorewall allows accounting of traffic with iptaccount, the following script inserts the output of iptaccount into a PostgreSQL Database. It does absolutely no input validation. In combination with cron this script allows accounting of traffic, if you keep your intervals short you can change the datatype from bigint to int to make your database smaller and faster.

The following is an example Schema for your database.


DHCP Option 82 with ISC DHCPD

If you want to assign IP addresses based on the port of a switch DHCP Option 82 comes in handy – with it enabled your switch adds an agent remote id and an agent curcuit id to every DHCP request. The remote agent id refers to the switch and the remote circuit id refers to the port where the DHCP request comes from.

You have several options to use these informations with ISC DHCPD, the tricky part is the binary to ascii conversion. I had to play a little bit around with it to get it working with my HP Procurve switches, I configured them to add the MAC address as agent remote id. It’s important to note that leading zeroes need to be removed.

The following config is necessary for each port, in this example every client on port 28 at the switch 0:ff:ff:ff:ff:ff can get IP addresses from to

Cause these entries are necessary for each port I modified a script from Serverfault to generate them.

The script reads a CSV containing all the necessary information and outputs the generated pools and classes to the terminal.

You may want to put those pools and classes into an additional config file to keep your dhcpd.conf clean.