Currently if no port is available for translation, the "memory"
counter is increased, which is not particularly descriptive, I'd
find it helpful to split this off to a separate counter as it
clearly shows when the default NAT port range causes a problem.
Any comments/OKs? (it's pretty straightforward, but intended for
post 5.3).
Example output (I used an artifical restriction to make it easier to
trigger i.e. 'match proto tcp to port 12345 nat-to (egress:0) 2000:2003')
$ sudo obj/pfctl -si
Status: Enabled for 0 days 20:33:18 Debug: err
State Table Total Rate
current entries 17
searches 602245 8.1/s
inserts 15503 0.2/s
removals 15486 0.2/s
Counters
match 16633 0.2/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
translate 11 0.0/s
Index: sys/net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.818
diff -u -p -r1.818 pf.c
--- sys/net/pf.c 20 Jan 2013 22:51:16 -0000 1.818
+++ sys/net/pf.c 24 Feb 2013 20:37:58 -0000
@@ -3487,7 +3487,7 @@ pf_test_rule(struct pf_pdesc *pd, struct
if (r->rule_flag & PFRULE_AFTO)
pd->naf = r->naf;
if (pf_get_transaddr(r, pd, sns, &nr) == -1) {
- REASON_SET(&reason, PFRES_MEMORY);
+ REASON_SET(&reason, PFRES_TRANSLATE);
goto cleanup;
}
if (r->log || act.log & PF_LOG_MATCHES) {
@@ -3526,7 +3526,7 @@ pf_test_rule(struct pf_pdesc *pd, struct
if (r->rule_flag & PFRULE_AFTO)
pd->naf = r->naf;
if (pf_get_transaddr(r, pd, sns, &nr) == -1) {
- REASON_SET(&reason, PFRES_MEMORY);
+ REASON_SET(&reason, PFRES_TRANSLATE);
goto cleanup;
}
REASON_SET(&reason, PFRES_MATCH);
Index: sys/net/pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.376
diff -u -p -r1.376 pfvar.h
--- sys/net/pfvar.h 17 Jan 2013 00:48:04 -0000 1.376
+++ sys/net/pfvar.h 24 Feb 2013 20:37:58 -0000
@@ -1293,7 +1293,8 @@ struct pf_pdesc {
#define PFRES_MAXSTATES 12 /* State limit */
#define PFRES_SRCLIMIT 13 /* Source node/conn limit */
#define PFRES_SYNPROXY 14 /* SYN proxy */
-#define PFRES_MAX 15 /* total+1 */
+#define PFRES_TRANSLATE 15 /* No translation address
available */
+#define PFRES_MAX 16 /* total+1 */
#define PFRES_NAMES { \
"match", \
@@ -1311,6 +1312,7 @@ struct pf_pdesc {
"state-limit", \
"src-limit", \
"synproxy", \
+ "translate", \
NULL \
}
Index: share/snmp/OPENBSD-PF-MIB.txt
===================================================================
RCS file: /cvs/src/share/snmp/OPENBSD-PF-MIB.txt,v
retrieving revision 1.1
diff -u -p -r1.1 OPENBSD-PF-MIB.txt
--- share/snmp/OPENBSD-PF-MIB.txt 23 Feb 2012 03:54:38 -0000 1.1
+++ share/snmp/OPENBSD-PF-MIB.txt 24 Feb 2013 20:37:58 -0000
@@ -33,7 +33,7 @@ IMPORTS
FROM SNMPv2-CONF;
pfMIBObjects MODULE-IDENTITY
- LAST-UPDATED "201201260000Z"
+ LAST-UPDATED "201302242033Z"
ORGANIZATION "OpenBSD"
CONTACT-INFO "
Author: Joel Knight
@@ -43,6 +43,8 @@ pfMIBObjects MODULE-IDENTITY
DESCRIPTION "The MIB module for gathering information from
OpenBSD's packet filter.
"
+ REVISION "201302242033Z"
+ DESCRIPTION "Add separate counter for failed translations"
REVISION "201201260000Z"
DESCRIPTION "Add OPENBSD-PF-MIB to OpenBSD's snmpd"
::= { openBSD 1 }
@@ -237,6 +239,15 @@ pfCntSynproxy OBJECT-TYPE
DESCRIPTION
"The number of packets that were dropped during the TCP synproxy
process."
::= { pfCounters 15 }
+
+pfCntTranslate OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "The number of packets that were dropped because network address
+ translation was requested and no unused port was available."
+ ::= { pfCounters 16 }
-- pfStateTable
Index: usr.sbin/snmpd/mib.c
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/mib.c,v
retrieving revision 1.63
diff -u -p -r1.63 mib.c
--- usr.sbin/snmpd/mib.c 18 Dec 2012 21:28:45 -0000 1.63
+++ usr.sbin/snmpd/mib.c 24 Feb 2013 20:37:58 -0000
@@ -1459,6 +1459,7 @@ static struct oid openbsd_mib[] = {
{ MIB(pfCntStateLimit), OID_RD, mib_pfcounters },
{ MIB(pfCntSrcLimit), OID_RD, mib_pfcounters },
{ MIB(pfCntSynproxy), OID_RD, mib_pfcounters },
+ { MIB(pfCntTranslate), OID_RD, mib_pfcounters },
{ MIB(pfStateCount), OID_RD, mib_pfscounters },
{ MIB(pfStateSearches), OID_RD, mib_pfscounters },
{ MIB(pfStateInserts), OID_RD, mib_pfscounters },
@@ -1702,7 +1703,8 @@ mib_pfcounters(struct oid *oid, struct b
{ 12, &s.counters[PFRES_STATEINS] },
{ 13, &s.counters[PFRES_MAXSTATES] },
{ 14, &s.counters[PFRES_SRCLIMIT] },
- { 15, &s.counters[PFRES_SYNPROXY] }
+ { 15, &s.counters[PFRES_SYNPROXY] },
+ { 16, &s.counters[PFRES_TRANSLATE] }
};
if (pf_get_stats(&s))
Index: usr.sbin/snmpd/mib.h
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/mib.h,v
retrieving revision 1.29
diff -u -p -r1.29 mib.h
--- usr.sbin/snmpd/mib.h 1 Oct 2012 12:15:07 -0000 1.29
+++ usr.sbin/snmpd/mib.h 24 Feb 2013 20:37:58 -0000
@@ -482,6 +482,7 @@
#define MIB_pfCntStateLimit MIB_pfCounters, 13
#define MIB_pfCntSrcLimit MIB_pfCounters, 14
#define MIB_pfCntSynproxy MIB_pfCounters, 15
+#define MIB_pfCntTranslate MIB_pfCounters, 16
#define MIB_pfStateTable MIB_pfMIBObjects, 3
#define MIB_pfStateCount MIB_pfStateTable, 1
#define MIB_pfStateSearches MIB_pfStateTable, 2
@@ -1007,6 +1008,7 @@
{ MIBDECL(pfCntStateLimit) }, \
{ MIBDECL(pfCntSrcLimit) }, \
{ MIBDECL(pfCntSynproxy) }, \
+ { MIBDECL(pfCntTranslate) }, \
{ MIBDECL(pfStateTable) }, \
{ MIBDECL(pfStateCount) }, \
{ MIBDECL(pfStateSearches) }, \
