From owner-freebsd-pf@freebsd.org Sun Jun 28 10:10:26 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5FD4934745B for ; Sun, 28 Jun 2020 10:10:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49vmb61s1Zz4Cp7; Sun, 28 Jun 2020 10:10:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 212BF2A979; Sun, 28 Jun 2020 10:10:26 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 2A55742503; Sun, 28 Jun 2020 12:10:24 +0200 (CEST) From: "Kristof Provost" To: "=?utf-8?q?=C3=96zkan?= KIRIK" Cc: freebsd-pf@freebsd.org Subject: Re: pf - state counter tracking like pfsync Date: Sun, 28 Jun 2020 12:10:23 +0200 X-Mailer: MailMate (1.13.1r5671) Message-ID: <0DDD2D56-A3F9-4062-9F45-266F41FA641C@FreeBSD.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Jun 2020 10:10:26 -0000 On 26 Jun 2020, at 13:56, Özkan KIRIK wrote: > My goal is save pkt/byte counters of each expired/killed/closed states > into > a txt file. > What is the right way to do this in userspace ? There’s no real right way to do this using pf. There are a couple of things that’ll get close, but no 100% solution. > Is it possible to do something with ioctl & poll ? > No. You could poll the states, but you’d heavily affect throughput and you’re going to miss data. > Alternatively is it possible to create multiple pfsync interfaces, > first > one for real purpose to send state changes to slave host, the second > one > for sending this log collect process lo1? > No, it’s not possible to create more than one pfsync interface. Pfsync can send its data to a multicast group, so you could have multiple subscribers. Note that pfsync optimises updates, so it’s likely that short-lived connections (i.e. where the connection is set up, used and closed before the next sync) will not result in sync messages. > Following lines prevents cloning second pfsync interface: > /usr/src/sys/netpfil/pf/if_pfsync.c on line 331 (pfsync_clone_create > function) > > if (unit != 0) > return (EINVAL); > > If I remove these lines, do I hit any error ? > Yes, that will break. Pfsync is not designed to have multiple interfaces. Kristof From owner-freebsd-pf@freebsd.org Sun Jun 28 10:15:46 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 578F734778C for ; Sun, 28 Jun 2020 10:15:46 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49vmjG09vrz4DND; Sun, 28 Jun 2020 10:15:45 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-ua1-x92e.google.com with SMTP id x14so4409949uao.7; Sun, 28 Jun 2020 03:15:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vYnM+MftopNyNqJZO0AUqKl1/dGqSJ7TXd35qJ7M1Mc=; b=aUKh2lapWY/tqVgIKg+C5IiN3zLN+hD2fvTnoYSSxdpH8VYPn+Sa2dLOGaL+YhjMl1 k6JsgShvf8+2oonFsW0etyQiYI8nokuHE+fHlrkE52gxLetYngYqn298DSBXq1At+ZoB qZFmNQoVk4aAgjYNpfAb3zD5ts+69XYcggy3RyCGBx94yGg5pKErr4oSflqZdFHnFgZr J5RJCaZbo/VP7xPYiBD3hCzbaNBQLQ6/lBItbOawdf8iPuTfgs7xEVijDVC811wypZGX GQ5gubNnEN+6v+KHQfEfJnJZVNJ0RPC4MSWYXWdTHJ1evaiBGhhSXbWyin/u4LU9KiPu MqUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vYnM+MftopNyNqJZO0AUqKl1/dGqSJ7TXd35qJ7M1Mc=; b=i09GdURaw8PjA0I8QdGPDgMEfJ5NSlvUlsfwq5RJjAaXjYfrm09nzr/vaPHXAlxBuk U7jprRf6tPH2TqTGV1SVm74m7x9J/QjkAkNPhiEBVKpxaw9nGtKYUAL6ECN+BstvarsX HUFqgdNa88Ak+f1z4VLqFRUZ2Zeu5mAM0VVS5Ed4gw0j0kYo2TlWs9DwZiStJeNplXa6 JPUbh0r6qdk82S+9DJHqbyVLdSE11U4gEybSypOkfaYe9tfn0mb5fLu1BZ8zHx6Vbt82 wSAq/06WVleZTIcEDQFBfMI0ohzIEH/Jk2DHFERyPFtQUqGdNrE6cfCrVv5Nz56jHFwy tzjg== X-Gm-Message-State: AOAM533zqKZrKu5EkiRBasQaASqoiS6VdZBU6E7CyY5wjsQHXA1VOL0Z Cf+3NBvsdmZFhzbwGzHmNAQ3dqFFiIlmyMkSRjR5YQ== X-Google-Smtp-Source: ABdhPJxAM0ZPt4ONtY9+Sa0AyCZzlKTA4zhbztIqyecW3XLt6jNR0bTG5bAQYjY44xC+3fYy9xvbrSjNTmN6xx4NdMY= X-Received: by 2002:ab0:232:: with SMTP id 47mr7588960uas.48.1593339344589; Sun, 28 Jun 2020 03:15:44 -0700 (PDT) MIME-Version: 1.0 References: <0DDD2D56-A3F9-4062-9F45-266F41FA641C@FreeBSD.org> In-Reply-To: <0DDD2D56-A3F9-4062-9F45-266F41FA641C@FreeBSD.org> From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Sun, 28 Jun 2020 13:15:33 +0300 Message-ID: Subject: Re: pf - state counter tracking like pfsync To: Kristof Provost Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 49vmjG09vrz4DND X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Jun 2020 10:15:46 -0000 Thank you for the clarification. On Sun, Jun 28, 2020 at 1:10 PM Kristof Provost wrote: > On 26 Jun 2020, at 13:56, =C3=96zkan KIRIK wrote: > > My goal is save pkt/byte counters of each expired/killed/closed states > > into > > a txt file. > > What is the right way to do this in userspace ? > > There=E2=80=99s no real right way to do this using pf. There are a couple= of > things that=E2=80=99ll get close, but no 100% solution. > > > Is it possible to do something with ioctl & poll ? > > > No. You could poll the states, but you=E2=80=99d heavily affect throughpu= t and > you=E2=80=99re going to miss data. > > > Alternatively is it possible to create multiple pfsync interfaces, > > first > > one for real purpose to send state changes to slave host, the second > > one > > for sending this log collect process lo1? > > > No, it=E2=80=99s not possible to create more than one pfsync interface. P= fsync > can send its data to a multicast group, so you could have multiple > subscribers. > > Note that pfsync optimises updates, so it=E2=80=99s likely that short-liv= ed > connections (i.e. where the connection is set up, used and closed before > the next sync) will not result in sync messages. > > > Following lines prevents cloning second pfsync interface: > > /usr/src/sys/netpfil/pf/if_pfsync.c on line 331 (pfsync_clone_create > > function) > > > > if (unit !=3D 0) > > return (EINVAL); > > > > If I remove these lines, do I hit any error ? > > > Yes, that will break. Pfsync is not designed to have multiple > interfaces. > > Kristof >