On 2018-03-28, 3 <ba...@yandex.ru> wrote: > hi guys. when the pflow option first appeared, i was surprised by the > stupidity of those who implemented it- pflow could not be specified > for block-rules, i.e. dropped packets were not taken into account. as > a result of this approach, the usefulness of pflow sought to zero for > those cases where traffic really had to be counted. but then i found > the way out- the default blocking rule first duplicated packets on a > special, only for this created localhost, which had only one rule - > receiving all incoming packets and the pflow option set, this allowed > to take into account dropped packets too. now i updated system, and > saw that the low level taken by developers fell even lower- now it is > impossible to specify dub-to for block-rules. i dont know how to get > around this now, im a simple user and tired of fighting hands-from-ass > developers. can anyone share their hacks for this? > > ps: sry for my english
The English is mostly readable, the attitude is rather abrasive though. pflow hooks into pf states. There is no state for a blocked packet. I think you'll be happier with a BPF-based flow capture tool, there are two in ports.
