Date: Sun, 28 Jun 2020 12:10:23 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "=?utf-8?q?=C3=96zkan?= KIRIK" <ozkan.kirik@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: pf - state counter tracking like pfsync Message-ID: <0DDD2D56-A3F9-4062-9F45-266F41FA641C@FreeBSD.org> In-Reply-To: <CAAcX-AFzvUMGpqf7joXgTV-gx9QLm8EEwS%2BfPhfYVjC5pqgpgA@mail.gmail.com> References: <CAAcX-AFzvUMGpqf7joXgTV-gx9QLm8EEwS%2BfPhfYVjC5pqgpgA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26 Jun 2020, at 13:56, Özkan KIRIK wrote: > My goal is save pkt/byte counters of each expired/killed/closed states > into > a txt file. > What is the right way to do this in userspace ? There’s no real right way to do this using pf. There are a couple of things that’ll get close, but no 100% solution. > Is it possible to do something with ioctl & poll ? > No. You could poll the states, but you’d heavily affect throughput and you’re going to miss data. > Alternatively is it possible to create multiple pfsync interfaces, > first > one for real purpose to send state changes to slave host, the second > one > for sending this log collect process lo1? > No, it’s not possible to create more than one pfsync interface. Pfsync can send its data to a multicast group, so you could have multiple subscribers. Note that pfsync optimises updates, so it’s likely that short-lived connections (i.e. where the connection is set up, used and closed before the next sync) will not result in sync messages. > Following lines prevents cloning second pfsync interface: > /usr/src/sys/netpfil/pf/if_pfsync.c on line 331 (pfsync_clone_create > function) > > if (unit != 0) > return (EINVAL); > > If I remove these lines, do I hit any error ? > Yes, that will break. Pfsync is not designed to have multiple interfaces. Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0DDD2D56-A3F9-4062-9F45-266F41FA641C>