Date: Wed, 4 Jul 2007 09:26:40 +0400 From: Roman Bogorodskiy <novel@FreeBSD.org> To: freebsd-pf@freebsd.org Subject: using pfctl -s labels and keep state for traffic accounting Message-ID: <20070704052640.GA72918@underworld.novel.ru>
next in thread | raw e-mail | index | archive | help
--n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I'm going to use pf's label feature for traffic accounting, i.e. creating an anchor for being able to add/remove rules with labels on fly and parse the output of pfctl -s labels. However, I spotted some problems with such an approach. When using 'keep state' it seems to have some limitations. First of all, it doesn't seem to allow to account in only one direction. Well, it was expected because states works that way. But calculating traffic in both directions give stange resuls too. I have a rule: pass log quick on $ext_if proto tcp from self to some_host port https label "labels:test", I have a file on https which I download. After first try it gives:=20 labels:test 284 23 2943 Then I add 'keep state', reload the rules file, check if the counters are zeroed and download the same file again and get: labels:test 3 46 29427 Why does it happen that way? BTW, is there some other limitations to the approach of traffic accounting based on pf labels? Roman Bogorodskiy --n8g4imXOkfNTN/H1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iQCVAwUBRosvkIB0WzgdqspGAQJF7wP/Z2oNbWeFb1rwE2Pl0KWyoHAAxaHDK2Sj rDzu/n8mF74lGPFXY4toPFlzHGaYD2FF44S9rOhzfz38TjZpyehtXZEAuusUvJm1 st5NpC1sHN9rp7htgkYXFG/qb0UBGN69cLKOeK00BUE9S3//mKjrL8//t38Uau3X FOToG0NBMvY= =18mZ -----END PGP SIGNATURE----- --n8g4imXOkfNTN/H1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070704052640.GA72918>