SYSTEM Cited by 1 source

iptables

iptables is the Linux user-space front-end to the netfilter packet-filter framework. Rules filter, mangle, or route packets as they traverse the kernel network stack through predefined chains (INPUT, OUTPUT, FORWARD) and user-defined chains.

Features relevant to wiki sources

• Per-rule packet and byte counters. Each rule maintains kernel counters of packets matched and bytes matched; listed via iptables -L -v -n -x. Read-modify-write is atomic inside the kernel.
• Empty user-defined chains as measurement points. A rule matching a target (e.g. destination IP) that jumps to an empty user-defined chain produces counters scoped only to traffic matching the target — a lightweight rate-metric source without deploying a packet-sniffer or a new agent. Canonical patterns/iptables-packet-counter-for-rate-metric.

Seen in

• Stripe — The secret life of DNS packets (2024-12-12). Stripe added a rule to the OUTPUT chain matching destination=10.0.0.2 (the VPC resolver) that jumps to an empty VPC_RESOLVER chain. A shell loop reads the counter every second and reports packets-per-second to the metrics pipeline. Zero userspace packet inspection; existing kernel counters repurposed as a DNS-rate metric.

Related

• systems/tcpdump
• patterns/iptables-packet-counter-for-rate-metric