Iptables input: document better the ignored rules behavior (#2482)

During issue #2215 it was highlighted that the current behavior where
rules without a comment are ignored is confusing for several users.

This commit improves the documentation and adds a NOTE to the sample
config to clarify the behavior for new users.
This commit is contained in:
Charles-Henri 2017-03-02 10:58:26 +01:00 committed by Cameron Sparr
parent e37b28896e
commit 53fb5608a8
3 changed files with 10 additions and 3 deletions

View File

@ -74,6 +74,7 @@ be deprecated eventually.
- [#2462](https://github.com/influxdata/telegraf/pull/2462): Fix type conflict in windows ping plugin. - [#2462](https://github.com/influxdata/telegraf/pull/2462): Fix type conflict in windows ping plugin.
- [#2178](https://github.com/influxdata/telegraf/issues/2178): logparser: regexp with lookahead. - [#2178](https://github.com/influxdata/telegraf/issues/2178): logparser: regexp with lookahead.
- [#2466](https://github.com/influxdata/telegraf/issues/2466): Telegraf can crash in LoadDirectory on 0600 files. - [#2466](https://github.com/influxdata/telegraf/issues/2466): Telegraf can crash in LoadDirectory on 0600 files.
- [#2215](https://github.com/influxdata/telegraf/issues/2215): Iptables input: document better that rules without a comment are ignored.
## v1.2.1 [2017-02-01] ## v1.2.1 [2017-02-01]

View File

@ -2,7 +2,11 @@
The iptables plugin gathers packets and bytes counters for rules within a set of table and chain from the Linux's iptables firewall. The iptables plugin gathers packets and bytes counters for rules within a set of table and chain from the Linux's iptables firewall.
Rules are identified through associated comment. Rules without comment are ignored. Rules are identified through associated comment. **Rules without comment are ignored**.
Indeed we need a unique ID for the rule and the rule number is not a constant: it may vary when rules are inserted/deleted at start-up or by automatic tools (interactive firewalls, fail2ban, ...).
Also when the rule set is becoming big (hundreds of lines) most people are interested in monitoring only a small part of the rule set.
Before using this plugin **you must ensure that the rules you want to monitor are named with a unique comment**. Comments are added using the `-m comment --comment "my comment"` iptables options.
The iptables command requires CAP_NET_ADMIN and CAP_NET_RAW capabilities. You have several options to grant telegraf to run iptables: The iptables command requires CAP_NET_ADMIN and CAP_NET_RAW capabilities. You have several options to grant telegraf to run iptables:

View File

@ -33,14 +33,16 @@ func (ipt *Iptables) SampleConfig() string {
## iptables require root access on most systems. ## iptables require root access on most systems.
## Setting 'use_sudo' to true will make use of sudo to run iptables. ## Setting 'use_sudo' to true will make use of sudo to run iptables.
## Users must configure sudo to allow telegraf user to run iptables with no password. ## Users must configure sudo to allow telegraf user to run iptables with no password.
## iptables can be restricted to only list command "iptables -nvL" ## iptables can be restricted to only list command "iptables -nvL".
use_sudo = false use_sudo = false
## Setting 'use_lock' to true runs iptables with the "-w" option. ## Setting 'use_lock' to true runs iptables with the "-w" option.
## Adjust your sudo settings appropriately if using this option ("iptables -wnvl") ## Adjust your sudo settings appropriately if using this option ("iptables -wnvl")
use_lock = false use_lock = false
## defines the table to monitor: ## defines the table to monitor:
table = "filter" table = "filter"
## defines the chains to monitor: ## defines the chains to monitor.
## NOTE: iptables rules without a comment will not be monitored.
## Read the plugin documentation for more information.
chains = [ "INPUT" ] chains = [ "INPUT" ]
` `
} }