pf - state counter tracking like pfsync
Kristof Provost
kp at FreeBSD.org
Sun Jun 28 10:10:26 UTC 2020
On 26 Jun 2020, at 13:56, Özkan KIRIK wrote:
> My goal is save pkt/byte counters of each expired/killed/closed states
> into
> a txt file.
> What is the right way to do this in userspace ?
There’s no real right way to do this using pf. There are a couple of
things that’ll get close, but no 100% solution.
> Is it possible to do something with ioctl & poll ?
>
No. You could poll the states, but you’d heavily affect throughput and
you’re going to miss data.
> Alternatively is it possible to create multiple pfsync interfaces,
> first
> one for real purpose to send state changes to slave host, the second
> one
> for sending this log collect process lo1?
>
No, it’s not possible to create more than one pfsync interface. Pfsync
can send its data to a multicast group, so you could have multiple
subscribers.
Note that pfsync optimises updates, so it’s likely that short-lived
connections (i.e. where the connection is set up, used and closed before
the next sync) will not result in sync messages.
> Following lines prevents cloning second pfsync interface:
> /usr/src/sys/netpfil/pf/if_pfsync.c on line 331 (pfsync_clone_create
> function)
>
> if (unit != 0)
> return (EINVAL);
>
> If I remove these lines, do I hit any error ?
>
Yes, that will break. Pfsync is not designed to have multiple
interfaces.
Kristof
More information about the freebsd-pf
mailing list