From 07a622393232881f8289b25b4b32e9897e406af2 Mon Sep 17 00:00:00 2001 From: ldep30 Date: Wed, 1 Feb 2017 15:37:18 +0100 Subject: [PATCH] Add lock option to the IPtables input plugin (#2201) * Update README.md * Add lock support to the IPtables input plugin * Update iptables.go Doc cleaning --- plugins/inputs/iptables/README.md | 6 ++++++ plugins/inputs/iptables/iptables.go | 12 ++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/plugins/inputs/iptables/README.md b/plugins/inputs/iptables/README.md index f5ebd4780..a711f1d4e 100644 --- a/plugins/inputs/iptables/README.md +++ b/plugins/inputs/iptables/README.md @@ -30,11 +30,17 @@ You may edit your sudo configuration with the following: telegraf ALL=(root) NOPASSWD: /usr/bin/iptables -nvL * ``` +### Using IPtables lock feature + +Defining multiple instances of this plugin in telegraf.conf can lead to concurrent IPtables access resulting in "ERROR in input [inputs.iptables]: exit status 4" messages in telegraf.log and missing metrics. Setting 'use_lock = true' in the plugin configuration will run IPtables with the '-w' switch, allowing a lock usage to prevent this error. + ### Configuration: ```toml # use sudo to run iptables use_sudo = false + # run iptables with the lock option + use_lock = false # defines the table to monitor: table = "filter" # defines the chains to monitor: diff --git a/plugins/inputs/iptables/iptables.go b/plugins/inputs/iptables/iptables.go index 4ceb45230..31b049d9f 100644 --- a/plugins/inputs/iptables/iptables.go +++ b/plugins/inputs/iptables/iptables.go @@ -16,6 +16,7 @@ import ( // Iptables is a telegraf plugin to gather packets and bytes throughput from Linux's iptables packet filter. type Iptables struct { UseSudo bool + UseLock bool Table string Chains []string lister chainLister @@ -32,8 +33,11 @@ func (ipt *Iptables) SampleConfig() string { ## iptables require root access on most systems. ## Setting 'use_sudo' to true will make use of sudo to run iptables. ## Users must configure sudo to allow telegraf user to run iptables with no password. - ## iptables can be restricted to only list command "iptables -nvL" + ## iptables can be restricted to only list command "iptables -nvL" use_sudo = false + ## Setting 'use_lock' to true runs iptables with the "-w" option. + ## Adjust your sudo settings appropriately if using this option ("iptables -wnvl") + use_lock = false ## defines the table to monitor: table = "filter" ## defines the chains to monitor: @@ -75,7 +79,11 @@ func (ipt *Iptables) chainList(table, chain string) (string, error) { name = "sudo" args = append(args, iptablePath) } - args = append(args, "-nvL", chain, "-t", table, "-x") + iptablesBaseArgs := "-nvL" + if ipt.UseLock { + iptablesBaseArgs = "-wnvL" + } + args = append(args, iptablesBaseArgs, chain, "-t", table, "-x") c := exec.Command(name, args...) out, err := c.Output() return string(out), err