Hi all,
in the same idea of per-rule accounting i tried "pfctl -sl -f /etc/pf.conf"
(OpenBSD 3.3 GENERIC#44 i386)
in order to dump labeled rules stats just before reloading the rules,
without miss info and i only got zeroed values.
unfortunately the pfctl parameters evaluation order seems to be "reloading
config" and then "dump stats".
maybe i am false. if not, isn't it interesting to have a
dump-label-rule-before-reload switch?
/* $OpenBSD: pfctl.c,v 1.175 2003/05/19 02:32:47 henning Exp $ */
-x---------------------------------------------------
if (rulesopt != NULL)
if (pfctl_rules(dev, rulesopt, opts, anchorname, rulesetname))
error = 1;
if (showopt != NULL) {
switch (*showopt) {
case 'A':
pfctl_show_anchors(dev, opts, anchorname);
break;
case 'r':
pfctl_show_rules(dev, opts, 0, anchorname,
rulesetname);
break;
case 'l':
pfctl_show_rules(dev, opts, 1, anchorname,
rulesetname);
break;
case 'n':
pfctl_show_nat(dev, opts, anchorname, rulesetname);
break;
case 'q':
pfctl_show_altq(dev, opts, opts & PF_OPT_VERBOSE2);
break;
case 's':
pfctl_show_states(dev, 0, opts);
break;
case 'i':
pfctl_show_status(dev);
break;
case 't':
pfctl_show_timeouts(dev);
break;
case 'm':
pfctl_show_limits(dev);
break;
case 'a':
pfctl_show_rules(dev, opts, 0, anchorname,
rulesetname);
pfctl_show_nat(dev, opts, anchorname, rulesetname);
pfctl_show_altq(dev, opts, 0);
pfctl_show_states(dev, 0, opts);
pfctl_show_status(dev);
pfctl_show_rules(dev, opts, 1, anchorname, rulesetname);
pfctl_show_timeouts(dev);
pfctl_show_limits(dev);
pfctl_show_tables(anchorname, rulesetname, opts);
break;
case 'T':
pfctl_show_tables(anchorname, rulesetname, opts);
break;
default:
assert(0);
}
}
-x---------------------------------------------------
/Next
-----Message d'origine-----
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de
Henning Brauer
Envoye : mardi 27 mai 2003 12:51
A : [EMAIL PROTECTED]
Objet : Re: Per-Rule Byte Counts
On Mon, May 26, 2003 at 04:23:55PM -0400, Dave Wintrip wrote:
> I'm looking for a way to graph traffic passing through my OpenBSD
> bridge, on a per-IP basis. I was under the inital impression that rules
> in PF could be tagged, and graphed using pfstat. I havn't had any luck
> on that, however, I was wondering if anyone knew of a way to gather a
> per-rule byte count that I could just pipe to MRTG or something? Any
> info would be helpful.
use labels.
--
Henning Brauer, BS Web Services, http://bsws.de
[EMAIL PROTECTED] - [EMAIL PROTECTED]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
