Mickey (rather silently ;) commited his pfsync to -current yesterday,
and you might find this useful for a number of things. It's a pseudo
device similar to pflog, but instead of logged packets, state table
changes are sent there. Example:
# ifconifg pfsync0 up
# tcpdump -s1500 -evtni pfsync0
tcpdump: listening on pfsync0
[ now we log into the machine through ssh, rule 6 is 'pass in on gem0
all keep state' ]
version 1 count 1: INS ST: rule 6 tcp 10.1.1.10:22 <- 10.1.1.10:22 <- 10.1.1.1:28307
CLOSED:SYN_SENT
[0 + 1] [3485610040 + 2]
age 00:00:00, expires in 00:02:00, 1 pkts, 64 bytes, rule 6
[ after a couple of minutes, we close the ssh session ]
version 1 count 1: DEL ST: rule 6 tcp 10.1.1.10:22 <- 10.1.1.10:22 <- 10.1.1.1:28307
FIN_WAIT_2:FIN_WAIT_2
[2790211351 + 17375] [3485617414 + 17376]
age 00:05:34, expires in 00:00:00, 2064 pkts, 241345 bytes, rule 6
I remember several people have asked about ways to gather statistics
on connection level (without having to count/sum packets), and pfsync
can help do that (though there are bigger plans for it, too ;).
Here's a part of the man page (which should show up on in the online man
pages soon):
NAME
pfsync - packet filter states table logging interface
SYNOPSIS
pseudo-device pfsync
DESCRIPTION
The pfsync interface is the interface to the packet filter, pf(4), expo-
seing all the changes to the state table. This allows for both debugging
of rulesets and monitoring for changes in the table by invoking tcp-
dump(8) on the pfsync interface.
Daniel
