Hi Christophe, >> There are some control features, like `down-srcip`, `purgeike` or >> `list|resetcounters`, that are not implemented (yet). But they may >> still be used, if necessary (ideally users would notify us of features >> they still need), > > I started using the vici API for monitoring and stats, and I must > admit it is far better suited than stroke to interface with an > external application. > > I precisely missed the equivalent for `listcounters` in the vici > interface, so I take the opportunity to notify you officially that its > support would be appreciated :)
Noted...and actually already implemented in the vici-counters branch :) Since it's based on the same code, it has the same behavior and limitations. For instance, counters are associated with an IKE_SA's name not individual IKE_SAs (e.g. via their unique IDs). So they may cover several IKE_SAs with the same name and they are not automatically reset or removed once SAs are terminated. And since the name may change on responders due to the identities or authentication settings the connection-specific counters might not be exactly accurate (e.g. if the first defined connection is configured for pubkey client authentication but most clients will connect via EAP using an otherwise identical second connection, too many inbound IKE_AUTHs will recorded for the first connection's name and too few for the second). Let me know if you see anything that could be improved (e.g. the naming of the counters). Regards, Tobias
