docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon prometheus

Add Iptables exporter

Open madron opened this issue 4 years ago • 3 comments

@brian-brazil

I added Iptables exporter link. Let me know if it fullfils prometheus standards and minimum requirements. Thanks

madron avatar Jan 26 '21 10:01 madron

Thanks for your PR. While these are host-based from the kernel metrics, it looks like the Node exporter developers believe this is best as a separate exporter so that's fine. More interestingly there are other iptables exporters out there, but they either look dead or seem to be doing something different, and none have any community of note. So this could be listed.

Looking at the code I see an issue though, you're using direct instrumentation and thus will produce incorrect results. Plus poking around the internals of a client library isn't exactly kosher. Please switch to using CounterMetricFamily.

I also note that you have a custom MetricsHandler, which adds no functionality on top of the base one provided by the client library. This however won't support OpenMetrics, so you should use the standard one.

From a general exporter design standpoint, this exporter seems to require you to explicitly add a comment to every single rule you want a metric for. I'd personally expect an exporter like this to expose everything by default, and the naming feature to be an extra thing you could optionally do if you wanted.

brian-brazil avatar Jan 26 '21 11:01 brian-brazil

Thanks for interesting hints ! I'll take some time to elaborate/fix your suggestions.

madron avatar Jan 26 '21 12:01 madron

Looking at the code I see an issue though, you're using direct instrumentation and thus will produce incorrect results. Plus poking around the internals of a client library isn't exactly kosher. Please switch to using CounterMetricFamily.

I also note that you have a custom MetricsHandler, which adds no functionality on top of the base one provided by the client library. This however won't support OpenMetrics, so you should use the standard one.

I tried to address both your suggestions: https://github.com/madron/iptables-exporter/blob/5a423c16aaaaf17216f0c87f08b2c495929a6dad/iptables_exporter/main.py

From a general exporter design standpoint, this exporter seems to require you to explicitly add a comment to every single rule you want a metric for. I'd personally expect an exporter like this to expose everything by default, and the naming feature to be an extra thing you could optionally do if you wanted.

Without explicit comments it expose only the number of rules in every table/chain. Maybe it seems useless but I use a lot just to check if someone manually add/delete some rules and forget to restore the original configuration.

I am not really convinced about exposing everything by default for these reasons:

  • I didn't find a good tag or set of tags to describe every possible iptables rule.
  • In all my kubernetes nodes i have at least 6000 rules and I'm afraid it can pose some pressure on prometheus servers.

I'm open for suggestions. ! :-)

madron avatar Mar 01 '21 17:03 madron