pf - state counter tracking like pfsync
Özkan KIRIK
ozkan.kirik at gmail.com
Sun Jun 28 10:15:46 UTC 2020
Thank you for the clarification.
On Sun, Jun 28, 2020 at 1:10 PM Kristof Provost <kp at freebsd.org> wrote:
> On 26 Jun 2020, at 13:56, Özkan KIRIK wrote:
> > My goal is save pkt/byte counters of each expired/killed/closed states
> > into
> > a txt file.
> > What is the right way to do this in userspace ?
>
> There’s no real right way to do this using pf. There are a couple of
> things that’ll get close, but no 100% solution.
>
> > Is it possible to do something with ioctl & poll ?
> >
> No. You could poll the states, but you’d heavily affect throughput and
> you’re going to miss data.
>
> > Alternatively is it possible to create multiple pfsync interfaces,
> > first
> > one for real purpose to send state changes to slave host, the second
> > one
> > for sending this log collect process lo1?
> >
> No, it’s not possible to create more than one pfsync interface. Pfsync
> can send its data to a multicast group, so you could have multiple
> subscribers.
>
> Note that pfsync optimises updates, so it’s likely that short-lived
> connections (i.e. where the connection is set up, used and closed before
> the next sync) will not result in sync messages.
>
> > Following lines prevents cloning second pfsync interface:
> > /usr/src/sys/netpfil/pf/if_pfsync.c on line 331 (pfsync_clone_create
> > function)
> >
> > if (unit != 0)
> > return (EINVAL);
> >
> > If I remove these lines, do I hit any error ?
> >
> Yes, that will break. Pfsync is not designed to have multiple
> interfaces.
>
> Kristof
>
More information about the freebsd-pf
mailing list