[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pfsync



Mickey (rather silently ;) commited his pfsync to -current yesterday,
and you might find this useful for a number of things. It's a pseudo
device similar to pflog, but instead of logged packets, state table
changes are sent there. Example:
# ifconifg pfsync0 up
# tcpdump -s1500 -evtni pfsync0
tcpdump: listening on pfsync0
[ now we log into the machine through ssh, rule 6 is 'pass in on gem0
  all keep state' ]
version 1 count 1: INS ST: rule 6 tcp 10.1.1.10:22 <- 10.1.1.10:22 <- 10.1.1.1:28307       CLOSED:SYN_SENT
   [0 + 1]  [3485610040 + 2]
   age 00:00:00, expires in 00:02:00, 1 pkts, 64 bytes, rule 6
[ after a couple of minutes, we close the ssh session ]
version 1 count 1: DEL ST: rule 6 tcp 10.1.1.10:22 <- 10.1.1.10:22 <- 10.1.1.1:28307       FIN_WAIT_2:FIN_WAIT_2
   [2790211351 + 17375]  [3485617414 + 17376]
   age 00:05:34, expires in 00:00:00, 2064 pkts, 241345 bytes, rule 6
I remember several people have asked about ways to gather statistics
on connection level (without having to count/sum packets), and pfsync
can help do that (though there are bigger plans for it, too ;).
Here's a part of the man page (which should show up on in the online man
pages soon):
NAME
     pfsync - packet filter states table logging interface
SYNOPSIS
     pseudo-device pfsync
DESCRIPTION
     The pfsync interface is the interface to the packet filter, pf(4), expo-
     seing all the changes to the state table.  This allows for both debugging
     of rulesets and monitoring for changes in the table by invoking tcp-
     dump(8) on the pfsync interface.
Daniel