diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2003-06-21 09:07:02 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2003-06-21 09:07:02 +0000 |
| commit | 254e79c998b297ccae33efa965dd18d33c468f4b (patch) | |
| tree | b94639419d9442cfbf9ec288e11947f3c82da7ca | |
| parent | 130157255f5676b7ae00e81c69c434ee5da1dfa4 (diff) | |
count packets and bidirectionally on state entries, allowing for fine-grained
traffic reporting w/ pfsync; ok dhartmei@
Note: ABI change (new fields in struct pf_state), requires a rebuild of
pfctl and tcpdump.
| -rw-r--r-- | sbin/pfctl/pf_print_state.c | 5 | ||||
| -rw-r--r-- | sys/net/if_pfsync.c | 8 | ||||
| -rw-r--r-- | sys/net/pf.c | 60 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 6 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 6 | ||||
| -rw-r--r-- | usr.sbin/tcpdump/print-pfsync.c | 10 |
6 files changed, 55 insertions, 40 deletions
diff --git a/sbin/pfctl/pf_print_state.c b/sbin/pfctl/pf_print_state.c index a61bc422213..74060871211 100644 --- a/sbin/pfctl/pf_print_state.c +++ b/sbin/pfctl/pf_print_state.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_print_state.c,v 1.30 2003/06/20 16:53:48 deraadt Exp $ */ +/* $OpenBSD: pf_print_state.c,v 1.31 2003/06/21 09:07:01 djm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -250,7 +250,8 @@ print_state(struct pf_state *s, int opts) min = s->expire % 60; s->expire /= 60; printf(", expires in %.2u:%.2u:%.2u", s->expire, min, sec); - printf(", %u pkts, %u bytes", s->packets, s->bytes); + printf(", %u:%u pkts, %u:%u bytes", + s->packets[0], s->packets[1], s->bytes[0], s->bytes[1]); if (s->anchor.nr != -1) printf(", anchor %u", s->anchor.nr); if (s->rule.nr != -1) diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 89a4f223ad9..e29a06ec861 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.5 2003/05/03 21:15:11 deraadt Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.6 2003/06/21 09:07:01 djm Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -284,8 +284,10 @@ pfsync_pack_state(action, st) sp->expire = htonl(0); else sp->expire = htonl(st->expire - secs); - sp->packets = htonl(st->packets); - sp->bytes = htonl(st->bytes); + sp->packets[0] = htonl(st->packets[0]); + sp->packets[1] = htonl(st->packets[1]); + sp->bytes[0] = htonl(st->bytes[0]); + sp->bytes[1] = htonl(st->bytes[1]); if (r == NULL) sp->rule.nr = htonl(-1); else diff --git a/sys/net/pf.c b/sys/net/pf.c index bdd9d41201b..fbf3e7a9741 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.366 2003/06/20 18:24:57 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.367 2003/06/21 09:07:01 djm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2352,8 +2352,8 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state **sm, int direction, s->creation = time.tv_sec; s->expire = time.tv_sec; s->timeout = PFTM_TCP_FIRST_PACKET; - s->packets = 1; - s->bytes = pd->tot_len; + s->packets[0] = 1; + s->bytes[0] = pd->tot_len; if ((pd->flags & PFDESC_TCP_NORM) && pf_normalize_tcp_init(m, off, pd, th, &s->src, &s->dst)) { @@ -2623,8 +2623,8 @@ pf_test_udp(struct pf_rule **rm, struct pf_state **sm, int direction, s->creation = time.tv_sec; s->expire = time.tv_sec; s->timeout = PFTM_UDP_FIRST_PACKET; - s->packets = 1; - s->bytes = pd->tot_len; + s->packets[0] = 1; + s->bytes[0] = pd->tot_len; if (pf_insert_state(s)) { REASON_SET(&reason, PFRES_MEMORY); pool_put(&pf_state_pl, s); @@ -2872,8 +2872,8 @@ pf_test_icmp(struct pf_rule **rm, struct pf_state **sm, int direction, s->creation = time.tv_sec; s->expire = time.tv_sec; s->timeout = PFTM_ICMP_FIRST_PACKET; - s->packets = 1; - s->bytes = pd->tot_len; + s->packets[0] = 1; + s->bytes[0] = pd->tot_len; if (pf_insert_state(s)) { REASON_SET(&reason, PFRES_MEMORY); pool_put(&pf_state_pl, s); @@ -3104,8 +3104,8 @@ pf_test_other(struct pf_rule **rm, struct pf_state **sm, int direction, s->creation = time.tv_sec; s->expire = time.tv_sec; s->timeout = PFTM_OTHER_FIRST_PACKET; - s->packets = 1; - s->bytes = pd->tot_len; + s->packets[0] = 1; + s->bytes[0] = pd->tot_len; if (pf_insert_state(s)) { REASON_SET(&reason, PFRES_MEMORY); if (r->log) @@ -3209,7 +3209,7 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, u_int16_t win = ntohs(th->th_win); u_int32_t ack, end, seq; u_int8_t sws, dws; - int ackskew; + int ackskew, dirndx; int copyback = 0; struct pf_state_peer *src, *dst; @@ -3225,9 +3225,11 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, if (direction == (*state)->direction) { src = &(*state)->src; dst = &(*state)->dst; + dirndx = 0; } else { src = &(*state)->dst; dst = &(*state)->src; + dirndx = 1; } if ((*state)->src.state == PF_TCPS_PROXY_SRC) { @@ -3425,8 +3427,8 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, (ackskew <= (MAXACKWINDOW << sws))) { /* Acking not more than one window forward */ - (*state)->packets++; - (*state)->bytes += pd->tot_len; + (*state)->packets[dirndx]++; + (*state)->bytes[dirndx] += pd->tot_len; /* update max window */ if (src->max_win < win) @@ -3507,12 +3509,13 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, printf("pf: loose state match: "); pf_print_state(*state); pf_print_flags(th->th_flags); - printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d\n", - seq, ack, pd->p_len, ackskew, (*state)->packets); + printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d\n", + seq, ack, pd->p_len, ackskew, + (*state)->packets[0], (*state)->packets[1]); } - (*state)->packets++; - (*state)->bytes += pd->tot_len; + (*state)->packets[dirndx]++; + (*state)->bytes[dirndx] += pd->tot_len; /* update max window */ if (src->max_win < win) @@ -3561,9 +3564,9 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, printf("pf: BAD state: "); pf_print_state(*state); pf_print_flags(th->th_flags); - printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d " + printf(" seq=%u ack=%u len=%u ackskew=%d pkts=%d:%d " "dir=%s,%s\n", seq, ack, pd->p_len, ackskew, - ++(*state)->packets, + (*state)->packets[0], (*state)->packets[1], direction == PF_IN ? "in" : "out", direction == (*state)->direction ? "fwd" : "rev"); printf("pf: State failure on: %c %c %c %c | %c %c\n", @@ -3622,6 +3625,7 @@ pf_test_state_udp(struct pf_state **state, int direction, struct ifnet *ifp, struct pf_state_peer *src, *dst; struct pf_tree_node key; struct udphdr *uh = pd->hdr.udp; + int dirndx; key.af = pd->af; key.proto = IPPROTO_UDP; @@ -3635,13 +3639,15 @@ pf_test_state_udp(struct pf_state **state, int direction, struct ifnet *ifp, if (direction == (*state)->direction) { src = &(*state)->src; dst = &(*state)->dst; + dirndx = 0; } else { src = &(*state)->dst; dst = &(*state)->src; + dirndx = 1; } - (*state)->packets++; - (*state)->bytes += pd->tot_len; + (*state)->packets[dirndx]++; + (*state)->bytes[dirndx] += pd->tot_len; /* update states */ if (src->state < PFUDPS_SINGLE) @@ -3689,7 +3695,7 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, struct pf_addr *saddr = pd->src, *daddr = pd->dst; u_int16_t icmpid, *icmpsum; u_int8_t icmptype; - int state_icmp = 0; + int state_icmp = 0, dirndx; switch (pd->proto) { #ifdef INET @@ -3738,8 +3744,9 @@ pf_test_state_icmp(struct pf_state **state, int direction, struct ifnet *ifp, STATE_LOOKUP(); - (*state)->packets++; - (*state)->bytes += pd->tot_len; + dirndx = (direction == (*state)->direction) ? 0 : 1; + (*state)->packets[dirndx]++; + (*state)->bytes[dirndx] += pd->tot_len; (*state)->expire = time.tv_sec; (*state)->timeout = PFTM_ICMP_ERROR_REPLY; @@ -4212,6 +4219,7 @@ pf_test_state_other(struct pf_state **state, int direction, struct ifnet *ifp, { struct pf_state_peer *src, *dst; struct pf_tree_node key; + int dirndx; key.af = pd->af; key.proto = pd->proto; @@ -4225,13 +4233,15 @@ pf_test_state_other(struct pf_state **state, int direction, struct ifnet *ifp, if (direction == (*state)->direction) { src = &(*state)->src; dst = &(*state)->dst; + dirndx = 0; } else { src = &(*state)->dst; dst = &(*state)->src; + dirndx = 1; } - (*state)->packets++; - (*state)->bytes += pd->tot_len; + (*state)->packets[dirndx]++; + (*state)->bytes[dirndx] += pd->tot_len; /* update states */ if (src->state < PFOTHERS_SINGLE) diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 63bef915ec4..a9d2aaa4a02 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.68 2003/06/08 09:41:08 cedric Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.69 2003/06/21 09:07:01 djm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1085,8 +1085,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) state->anchor.ptr = NULL; state->rt_ifp = NULL; state->creation = time.tv_sec; - state->packets = 0; - state->bytes = 0; + state->packets[0] = state->packets[1] = 0; + state->bytes[0] = state->bytes[1] = 0; if (pf_insert_state(state)) { pool_put(&pf_state_pl, state); error = ENOMEM; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 5bea9368633..d821ea4f77c 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.156 2003/06/20 18:24:57 dhartmei Exp $ */ +/* $OpenBSD: pfvar.h,v 1.157 2003/06/21 09:07:01 djm Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -458,8 +458,8 @@ struct pf_state { struct ifnet *rt_ifp; u_int32_t creation; u_int32_t expire; - u_int32_t packets; - u_int32_t bytes; + u_int32_t packets[2]; + u_int32_t bytes[2]; sa_family_t af; u_int8_t proto; u_int8_t direction; diff --git a/usr.sbin/tcpdump/print-pfsync.c b/usr.sbin/tcpdump/print-pfsync.c index 1d837a3a256..378a9161481 100644 --- a/usr.sbin/tcpdump/print-pfsync.c +++ b/usr.sbin/tcpdump/print-pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: print-pfsync.c,v 1.7 2003/01/07 00:28:08 dhartmei Exp $ */ +/* $OpenBSD: print-pfsync.c,v 1.8 2003/06/21 09:07:00 djm Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -28,7 +28,7 @@ #ifndef lint static const char rcsid[] = - "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pfsync.c,v 1.7 2003/01/07 00:28:08 dhartmei Exp $"; + "@(#) $Header: /cvs/OpenBSD/src/usr.sbin/tcpdump/print-pfsync.c,v 1.8 2003/06/21 09:07:00 djm Exp $"; #endif #include <sys/param.h> @@ -114,8 +114,10 @@ pfsync_if_print(u_char *user, const struct pcap_pkthdr *h, bcopy(&s->rt_addr, &st.rt_addr, sizeof(st.rt_addr)); st.creation = ntohl(s->creation); st.expire = ntohl(s->expire); - st.packets = ntohl(s->packets); - st.bytes = ntohl(s->bytes); + st.packets[0] = ntohl(s->packets[0]); + st.packets[1] = ntohl(s->packets[1]); + st.bytes[0] = ntohl(s->bytes[0]); + st.bytes[1] = ntohl(s->bytes[1]); st.af = s->af; st.proto = s->proto; st.direction = s->direction; |