diff options
author | Bret Lambert <blambert@cvs.openbsd.org> | 2013-07-05 13:07:59 +0000 |
---|---|---|
committer | Bret Lambert <blambert@cvs.openbsd.org> | 2013-07-05 13:07:59 +0000 |
commit | 76cbef18617368358bd97db20ff50cb8d212c924 (patch) | |
tree | d7e6b6a2e8cd333a749f4b791849d9f2b8a0010e /sbin/pfctl | |
parent | 6ef46a309357346a959de1eee7f09d64d74de0f3 (diff) |
Collect and display 'match' counters for pf tables.
While here, fix pf table displays to fit within 80 chars.
Manpage input jmc@
ok henning@ reyk@
Diffstat (limited to 'sbin/pfctl')
-rw-r--r-- | sbin/pfctl/pfctl.8 | 50 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_table.c | 10 |
2 files changed, 33 insertions, 27 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 44a6764d763..63b2603048b 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.157 2013/03/13 20:57:47 sthen Exp $ +.\" $OpenBSD: pfctl.8,v 1.158 2013/07/05 13:07:57 blambert Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 13 2013 $ +.Dd $Mdocdate: July 5 2013 $ .Dt PFCTL 8 .Os .Sh NAME @@ -559,18 +559,23 @@ server: We can now use the table .Cm show command to output, for each address and packet direction, the number of packets -and bytes that are being passed or blocked by rules referencing the table. +and bytes that are being passed, matched or blocked by rules referencing the +table. +Note that the match counters are incremented for every match rule in which +they are referenced, meaning that a single packet may be counted multiple times. The time at which the current accounting started is also shown with the .Dq Cleared line. .Bd -literal -offset indent # pfctl -t test -vTshow - 129.128.5.191 - Cleared: Thu Feb 13 18:55:18 2003 - In/Block: [ Packets: 0 Bytes: 0 ] - In/Pass: [ Packets: 10 Bytes: 840 ] - Out/Block: [ Packets: 0 Bytes: 0 ] - Out/Pass: [ Packets: 10 Bytes: 840 ] + 198.51.100.81 + Cleared: Fri Jun 28 11:17:37 2013 + In/Block: [ Packets: 0 Bytes: 0 ] + In/Match [ Packets: 54 Bytes: 10028 ] + In/Pass: [ Packets: 5 Bytes: 1949 ] + Out/Block: [ Packets: 0 Bytes: 0 ] + Out/Match [ Packets: 65 Bytes: 12684 ] + Out/Pass: [ Packets: 6 Bytes: 389 ] .Ed .Pp Similarly, it is possible to view global information about the tables @@ -586,21 +591,22 @@ packet statistics for the whole table: .Bd -literal -offset indent # pfctl -vvsTables --a-r-C test - Addresses: 1 - Cleared: Thu Feb 13 18:55:18 2003 - References: [ Anchors: 0 Rules: 1 ] - Evaluations: [ NoMatch: 3496 Match: 1 ] - In/Block: [ Packets: 0 Bytes: 0 ] - In/Pass: [ Packets: 10 Bytes: 840 ] - In/XPass: [ Packets: 0 Bytes: 0 ] - Out/Block: [ Packets: 0 Bytes: 0 ] - Out/Pass: [ Packets: 10 Bytes: 840 ] - Out/XPass: [ Packets: 0 Bytes: 0 ] + Addresses: 1 + Cleared: Fri Jun 28 11:17:37 2013 + References: [ Anchors: 0 Rules: 4 ] + Evaluations: [ NoMatch: 35 Match: 8 ] + In/Block: [ Packets: 0 Bytes: 0 ] + In/Match: [ Packets: 54 Bytes: 10028 ] + In/Pass: [ Packets: 5 Bytes: 1949 ] + In/XPass: [ Packets: 0 Bytes: 0 ] + Out/Block: [ Packets: 0 Bytes: 0 ] + Out/Match: [ Packets: 65 Bytes: 12684 ] + Out/Pass: [ Packets: 6 Bytes: 389 ] + Out/XPass: [ Packets: 0 Bytes: 0 ] .Ed .Pp -As we can see here, only one packet \- the initial ping request \- matched the -table, but all packets passing as the result of the state are correctly -accounted for. +Only packets creating state are matched in the Evaluations line, +but all packets passing as a result of the state are correctly accounted for. Reloading the table(s) or ruleset will not affect packet accounting in any way. The two .Dq XPass diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c index 002da62c708..afe4d7f9075 100644 --- a/sbin/pfctl/pfctl_table.c +++ b/sbin/pfctl/pfctl_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_table.c,v 1.71 2011/07/27 00:26:10 mcbride Exp $ */ +/* $OpenBSD: pfctl_table.c,v 1.72 2013/07/05 13:07:57 blambert Exp $ */ /* * Copyright (c) 2002 Cedric Berger @@ -64,8 +64,8 @@ static void xprintf(int, const char *, ...); static void print_iface(struct pfi_kif *, int); static const char *stats_text[PFR_DIR_MAX][PFR_OP_TABLE_MAX] = { - { "In/Block:", "In/Pass:", "In/XPass:" }, - { "Out/Block:", "Out/Pass:", "Out/XPass:" } + { "In/Block:", "In/Match:", "In/Pass:", "In/XPass:" }, + { "Out/Block:", "Out/Match:", "Out/Pass:", "Out/XPass:" } }; static const char *istats_text[2][2][2] = { @@ -483,7 +483,7 @@ print_astats(struct pfr_astats *as, int dns) int dir, op; print_addrx(&as->pfras_a, NULL, dns); - printf("\tCleared: %s", ctime(&time)); + printf("\tCleared: %s", ctime(&time)); if (as->pfras_a.pfra_states) printf("\tActive States: %d\n", as->pfras_a.pfra_states); if (as->pfras_a.pfra_type == PFRKE_COST) @@ -494,7 +494,7 @@ print_astats(struct pfr_astats *as, int dns) return; for (dir = 0; dir < PFR_DIR_MAX; dir++) for (op = 0; op < PFR_OP_ADDR_MAX; op++) - printf("\t%-19s [ Packets: %-18llu Bytes: %-18llu ]\n", + printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n", stats_text[dir][op], (unsigned long long)as->pfras_packets[dir][op], (unsigned long long)as->pfras_bytes[dir][op]); |