pf - state counter tracking like pfsync

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

pf - state counter tracking like pfsync

Özkan KIRIK
Hi,

My goal is save pkt/byte counters of each expired/killed/closed states into
a txt file.
What is the right way to do this in userspace ?
Is it possible to do something with ioctl & poll ?

Alternatively is it possible to create multiple pfsync interfaces, first
one for real purpose to send state changes to slave host, the second one
for sending this log collect process lo1?

Following lines prevents cloning second pfsync interface:
/usr/src/sys/netpfil/pf/if_pfsync.c on line 331 (pfsync_clone_create
function)

  if (unit != 0)
    return (EINVAL);

If I remove these lines, do I hit any error ?

Best regards,
Thanks
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: pf - state counter tracking like pfsync

Kristof Provost
On 26 Jun 2020, at 13:56, Özkan KIRIK wrote:
> My goal is save pkt/byte counters of each expired/killed/closed states
> into
> a txt file.
> What is the right way to do this in userspace ?

There’s no real right way to do this using pf. There are a couple of
things that’ll get close, but no 100% solution.

> Is it possible to do something with ioctl & poll ?
>
No. You could poll the states, but you’d heavily affect throughput and
you’re going to miss data.

> Alternatively is it possible to create multiple pfsync interfaces,
> first
> one for real purpose to send state changes to slave host, the second
> one
> for sending this log collect process lo1?
>
No, it’s not possible to create more than one pfsync interface. Pfsync
can send its data to a multicast group, so you could have multiple
subscribers.

Note that pfsync optimises updates, so it’s likely that short-lived
connections (i.e. where the connection is set up, used and closed before
the next sync) will not result in sync messages.

> Following lines prevents cloning second pfsync interface:
> /usr/src/sys/netpfil/pf/if_pfsync.c on line 331 (pfsync_clone_create
> function)
>
>   if (unit != 0)
>     return (EINVAL);
>
> If I remove these lines, do I hit any error ?
>
Yes, that will break. Pfsync is not designed to have multiple
interfaces.

Kristof
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: pf - state counter tracking like pfsync

Özkan KIRIK
Thank you for the clarification.

On Sun, Jun 28, 2020 at 1:10 PM Kristof Provost <[hidden email]> wrote:

> On 26 Jun 2020, at 13:56, Özkan KIRIK wrote:
> > My goal is save pkt/byte counters of each expired/killed/closed states
> > into
> > a txt file.
> > What is the right way to do this in userspace ?
>
> There’s no real right way to do this using pf. There are a couple of
> things that’ll get close, but no 100% solution.
>
> > Is it possible to do something with ioctl & poll ?
> >
> No. You could poll the states, but you’d heavily affect throughput and
> you’re going to miss data.
>
> > Alternatively is it possible to create multiple pfsync interfaces,
> > first
> > one for real purpose to send state changes to slave host, the second
> > one
> > for sending this log collect process lo1?
> >
> No, it’s not possible to create more than one pfsync interface. Pfsync
> can send its data to a multicast group, so you could have multiple
> subscribers.
>
> Note that pfsync optimises updates, so it’s likely that short-lived
> connections (i.e. where the connection is set up, used and closed before
> the next sync) will not result in sync messages.
>
> > Following lines prevents cloning second pfsync interface:
> > /usr/src/sys/netpfil/pf/if_pfsync.c on line 331 (pfsync_clone_create
> > function)
> >
> >   if (unit != 0)
> >     return (EINVAL);
> >
> > If I remove these lines, do I hit any error ?
> >
> Yes, that will break. Pfsync is not designed to have multiple
> interfaces.
>
> Kristof
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"