summaryrefslogtreecommitdiff
path: root/sbin/pfctl
diff options
context:
space:
mode:
authorBret Lambert <blambert@cvs.openbsd.org>2013-07-05 13:07:59 +0000
committerBret Lambert <blambert@cvs.openbsd.org>2013-07-05 13:07:59 +0000
commit76cbef18617368358bd97db20ff50cb8d212c924 (patch)
treed7e6b6a2e8cd333a749f4b791849d9f2b8a0010e /sbin/pfctl
parent6ef46a309357346a959de1eee7f09d64d74de0f3 (diff)
Collect and display 'match' counters for pf tables.
While here, fix pf table displays to fit within 80 chars. Manpage input jmc@ ok henning@ reyk@
Diffstat (limited to 'sbin/pfctl')
-rw-r--r--sbin/pfctl/pfctl.850
-rw-r--r--sbin/pfctl/pfctl_table.c10
2 files changed, 33 insertions, 27 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 44a6764d763..63b2603048b 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.157 2013/03/13 20:57:47 sthen Exp $
+.\" $OpenBSD: pfctl.8,v 1.158 2013/07/05 13:07:57 blambert Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"
@@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: March 13 2013 $
+.Dd $Mdocdate: July 5 2013 $
.Dt PFCTL 8
.Os
.Sh NAME
@@ -559,18 +559,23 @@ server:
We can now use the table
.Cm show
command to output, for each address and packet direction, the number of packets
-and bytes that are being passed or blocked by rules referencing the table.
+and bytes that are being passed, matched or blocked by rules referencing the
+table.
+Note that the match counters are incremented for every match rule in which
+they are referenced, meaning that a single packet may be counted multiple times.
The time at which the current accounting started is also shown with the
.Dq Cleared
line.
.Bd -literal -offset indent
# pfctl -t test -vTshow
- 129.128.5.191
- Cleared: Thu Feb 13 18:55:18 2003
- In/Block: [ Packets: 0 Bytes: 0 ]
- In/Pass: [ Packets: 10 Bytes: 840 ]
- Out/Block: [ Packets: 0 Bytes: 0 ]
- Out/Pass: [ Packets: 10 Bytes: 840 ]
+ 198.51.100.81
+ Cleared: Fri Jun 28 11:17:37 2013
+ In/Block: [ Packets: 0 Bytes: 0 ]
+ In/Match [ Packets: 54 Bytes: 10028 ]
+ In/Pass: [ Packets: 5 Bytes: 1949 ]
+ Out/Block: [ Packets: 0 Bytes: 0 ]
+ Out/Match [ Packets: 65 Bytes: 12684 ]
+ Out/Pass: [ Packets: 6 Bytes: 389 ]
.Ed
.Pp
Similarly, it is possible to view global information about the tables
@@ -586,21 +591,22 @@ packet statistics for the whole table:
.Bd -literal -offset indent
# pfctl -vvsTables
--a-r-C test
- Addresses: 1
- Cleared: Thu Feb 13 18:55:18 2003
- References: [ Anchors: 0 Rules: 1 ]
- Evaluations: [ NoMatch: 3496 Match: 1 ]
- In/Block: [ Packets: 0 Bytes: 0 ]
- In/Pass: [ Packets: 10 Bytes: 840 ]
- In/XPass: [ Packets: 0 Bytes: 0 ]
- Out/Block: [ Packets: 0 Bytes: 0 ]
- Out/Pass: [ Packets: 10 Bytes: 840 ]
- Out/XPass: [ Packets: 0 Bytes: 0 ]
+ Addresses: 1
+ Cleared: Fri Jun 28 11:17:37 2013
+ References: [ Anchors: 0 Rules: 4 ]
+ Evaluations: [ NoMatch: 35 Match: 8 ]
+ In/Block: [ Packets: 0 Bytes: 0 ]
+ In/Match: [ Packets: 54 Bytes: 10028 ]
+ In/Pass: [ Packets: 5 Bytes: 1949 ]
+ In/XPass: [ Packets: 0 Bytes: 0 ]
+ Out/Block: [ Packets: 0 Bytes: 0 ]
+ Out/Match: [ Packets: 65 Bytes: 12684 ]
+ Out/Pass: [ Packets: 6 Bytes: 389 ]
+ Out/XPass: [ Packets: 0 Bytes: 0 ]
.Ed
.Pp
-As we can see here, only one packet \- the initial ping request \- matched the
-table, but all packets passing as the result of the state are correctly
-accounted for.
+Only packets creating state are matched in the Evaluations line,
+but all packets passing as a result of the state are correctly accounted for.
Reloading the table(s) or ruleset will not affect packet accounting in any way.
The two
.Dq XPass
diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c
index 002da62c708..afe4d7f9075 100644
--- a/sbin/pfctl/pfctl_table.c
+++ b/sbin/pfctl/pfctl_table.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_table.c,v 1.71 2011/07/27 00:26:10 mcbride Exp $ */
+/* $OpenBSD: pfctl_table.c,v 1.72 2013/07/05 13:07:57 blambert Exp $ */
/*
* Copyright (c) 2002 Cedric Berger
@@ -64,8 +64,8 @@ static void xprintf(int, const char *, ...);
static void print_iface(struct pfi_kif *, int);
static const char *stats_text[PFR_DIR_MAX][PFR_OP_TABLE_MAX] = {
- { "In/Block:", "In/Pass:", "In/XPass:" },
- { "Out/Block:", "Out/Pass:", "Out/XPass:" }
+ { "In/Block:", "In/Match:", "In/Pass:", "In/XPass:" },
+ { "Out/Block:", "Out/Match:", "Out/Pass:", "Out/XPass:" }
};
static const char *istats_text[2][2][2] = {
@@ -483,7 +483,7 @@ print_astats(struct pfr_astats *as, int dns)
int dir, op;
print_addrx(&as->pfras_a, NULL, dns);
- printf("\tCleared: %s", ctime(&time));
+ printf("\tCleared: %s", ctime(&time));
if (as->pfras_a.pfra_states)
printf("\tActive States: %d\n", as->pfras_a.pfra_states);
if (as->pfras_a.pfra_type == PFRKE_COST)
@@ -494,7 +494,7 @@ print_astats(struct pfr_astats *as, int dns)
return;
for (dir = 0; dir < PFR_DIR_MAX; dir++)
for (op = 0; op < PFR_OP_ADDR_MAX; op++)
- printf("\t%-19s [ Packets: %-18llu Bytes: %-18llu ]\n",
+ printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n",
stats_text[dir][op],
(unsigned long long)as->pfras_packets[dir][op],
(unsigned long long)as->pfras_bytes[dir][op]);