Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 20 Mar 2009 10:15:32 +0100
From:      Szalai Andras <szalai.bandi@gmail.com>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/132847: [patch] snmp_pf: add support for retrieving pf filter rule counters
Message-ID:  <20090320091532.GA28471@tristania.kispest.home>
Resent-Message-ID: <200903200920.n2K9K1YP039280@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         132847
>Category:       bin
>Synopsis:       [patch] snmp_pf: add support for retrieving pf filter rule counters
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 20 09:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Szalai Andras
>Release:        FreeBSD 7.1-RELEASE-p1 i386
>Organization:
none
>Environment:
System: FreeBSD tristania.kispest.home 7.1-RELEASE-p1 FreeBSD 7.1-RELEASE-p1 #0: Sun Jan 11 17:34:03 CET 2009 root@tristania.kispest.home:/disk/ad8p5/root.usr/src/sys/i386/compile/TRISTANIA i386

>Description:

The FreeBSD base system contains a snmp daemon called bsnmpd. It implements
most of its functionality via loadable modules. The snmp_pf module is
responsible for constructing the MIB for the pf packet filter, however
it doesn't support retrieving counters of (labeled) pf filter rules.

>How-To-Repeat:

>Fix:

The attached patch adds a table which contains counters (evaluations,
packets in/out, bytes in/out) for each labeled pf filter rule. It can
be applied cleanly to snmp_pf from RELENG_7_1.

--- snmp_pf.diff begins here ---
diff -ru snmp_pf.orig/BEGEMOT-PF-MIB.txt snmp_pf/BEGEMOT-PF-MIB.txt
--- snmp_pf.orig/BEGEMOT-PF-MIB.txt	2009-01-10 16:46:38.000000000 +0100
+++ snmp_pf/BEGEMOT-PF-MIB.txt	2009-03-20 09:52:13.000000000 +0100
@@ -51,6 +51,7 @@
 pfInterfaces		OBJECT IDENTIFIER ::= { begemotPfObjects 8 }
 pfTables		OBJECT IDENTIFIER ::= { begemotPfObjects 9 }
 pfAltq			OBJECT IDENTIFIER ::= { begemotPfObjects 10 }
+pfLabels		OBJECT IDENTIFIER ::= { begemotPfObjects 11 }
 
 -- --------------------------------------------------------------------------
 
@@ -1227,4 +1228,102 @@
 	"Maximum number of packets in the queue."
     ::= { pfAltqQueueEntry 7 }
 
+-- --------------------------------------------------------------------------
+
+--
+-- Labeled filter rules statistics
+--
+
+pfLabelsLblNumber OBJECT-TYPE
+    SYNTAX	Integer32
+    MAX-ACCESS	read-only
+    STATUS	current
+    DESCRIPTION
+	"The number of labeled filter rules on this system."
+    ::= { pfLabels 1 }
+
+pfLabelsLblTable OBJECT-TYPE
+    SYNTAX	SEQUENCE OF pfLabelsLblEntry
+    MAX-ACCESS	not-accessible
+    STATUS	current
+    DESCRIPTION
+	"Table of filter rules, index on pfLabelsLblIndex."
+    ::= { pfLabels 2 }
+
+pfLabelsLblEntry OBJECT-TYPE
+    SYNTAX	pfLabelsLblEntry
+    MAX-ACCESS	not-accessible
+    STATUS	current
+    DESCRIPTION
+	"Any entry in the pfLabelsLblTable containing information
+	about a particular filter rule on the system."
+    INDEX	{ pfLabelsLblIndex }
+    ::= { pfLabelsLblTable 1 }
+
+pfLabelsLblEntry ::= SEQUENCE {
+    pfLabelsLblIndex		    Integer32,
+    pfLabelsLblName	 	    OCTET STRING,
+    pfLabelsLblEvals		    Counter64,
+    pfLabelsLblBytesIn		    Counter64,
+    pfLabelsLblBytesOut		    Counter64,
+    pfLabelsLblPktsIn		    Counter64,
+    pfLabelsLblPktsOut		    Counter64
+}
+
+pfLabelsLblIndex OBJECT-TYPE
+    SYNTAX	Integer32 (1..2147483647)
+    MAX-ACCESS  not-accessible
+    STATUS	current
+    DESCRIPTION
+        "A unique value, greater than zero, for each label."
+    ::= { pfLabelsLblEntry 1 }
+
+pfLabelsLblName OBJECT-TYPE
+    SYNTAX	OCTET STRING
+    MAX-ACCESS  read-only
+    STATUS	current
+    DESCRIPTION
+        "The name of the rule label."
+    ::= { pfLabelsLblEntry 2 }
+
+pfLabelsLblEvals OBJECT-TYPE
+    SYNTAX	Counter64
+    MAX-ACCESS  read-only
+    STATUS	current
+    DESCRIPTION
+        "The number of rule evaluations."
+    ::= { pfLabelsLblEntry 3 }
+
+pfLabelsLblBytesIn OBJECT-TYPE
+    SYNTAX	Counter64
+    MAX-ACCESS  read-only
+    STATUS	current
+    DESCRIPTION
+        "The number of incoming bytes matched by the rule."
+    ::= { pfLabelsLblEntry 4 }
+
+pfLabelsLblBytesOut OBJECT-TYPE
+    SYNTAX	Counter64
+    MAX-ACCESS  read-only
+    STATUS	current
+    DESCRIPTION
+        "The number of outgoing bytes matched by the rule."
+    ::= { pfLabelsLblEntry 5 }
+
+pfLabelsLblPktsIn OBJECT-TYPE
+    SYNTAX	Counter64
+    MAX-ACCESS  read-only
+    STATUS	current
+    DESCRIPTION
+        "The number of incoming packets matched by the rule."
+    ::= { pfLabelsLblEntry 6 }
+
+pfLabelsLblPktsOut OBJECT-TYPE
+    SYNTAX	Counter64
+    MAX-ACCESS  read-only
+    STATUS	current
+    DESCRIPTION
+        "The number of outgoing packets matched by the rule."
+    ::= { pfLabelsLblEntry 7 }
+
 END
diff -ru snmp_pf.orig/pf_snmp.c snmp_pf/pf_snmp.c
--- snmp_pf.orig/pf_snmp.c	2008-11-25 03:59:29.000000000 +0100
+++ snmp_pf/pf_snmp.c	2009-03-20 09:51:57.000000000 +0100
@@ -100,17 +100,38 @@
 
 #define PFQ_TABLE_MAXAGE	5
 
+struct pfl_entry {
+	char		name[MAXPATHLEN + PF_RULE_LABEL_SIZE];
+	u_int64_t	evals;
+	u_int64_t	bytes[2];
+	u_int64_t	pkts[2];
+	u_int		index;
+	TAILQ_ENTRY(pfl_entry) link;
+};
+TAILQ_HEAD(pfl_table, pfl_entry);
+
+static struct pfl_table pfl_table;
+static time_t pfl_table_age;
+static int pfl_table_count;
+
+#define PFL_TABLE_MAXAGE	5
+
 /* Forward declarations */
 static int pfi_refresh(void);
 static int pfq_refresh(void);
 static int pfs_refresh(void);
 static int pft_refresh(void);
+static int pfl_refresh(void);
 static struct pfi_entry * pfi_table_find(u_int idx);
 static struct pfq_entry * pfq_table_find(u_int idx);
 static struct pft_entry * pft_table_find(u_int idx);
+static struct pfl_entry * pfl_table_find(u_int idx);
 
 static int altq_is_enabled(int pfdevice);
 
+static int pfl_walk_rulesets(const char *path);
+static int pfl_scan_ruleset(const char *path);
+
 int
 pf_status(struct snmp_context __unused *ctx, struct snmp_value *val,
 	u_int sub, u_int __unused vindex, enum snmp_op op)
@@ -773,6 +794,94 @@
 }
 
 int
+pf_labels(struct snmp_context __unused *ctx, struct snmp_value *val,
+	u_int sub, u_int __unused vindex, enum snmp_op op)
+{
+	asn_subid_t	which = val->var.subs[sub - 1];
+
+	if (op == SNMP_OP_SET)
+		return (SNMP_ERR_NOT_WRITEABLE);
+
+	if (op == SNMP_OP_GET) {
+		if ((time(NULL) - pfl_table_age) > PFL_TABLE_MAXAGE)
+			if (pfl_refresh() == -1)
+			    return (SNMP_ERR_GENERR);
+
+		switch (which) {
+			case LEAF_pfLabelsLblNumber:
+				val->v.uint32 = pfl_table_count;
+				break;
+
+			default:
+				return (SNMP_ERR_NOSUCHNAME);
+		}
+
+		return (SNMP_ERR_NOERROR);
+	}
+
+	abort();
+}
+
+int
+pf_lbltable(struct snmp_context __unused *ctx, struct snmp_value *val,
+	u_int sub, u_int __unused vindex, enum snmp_op op)
+{
+	asn_subid_t	which = val->var.subs[sub - 1];
+	struct pfl_entry *e = NULL;
+
+	switch (op) {
+		case SNMP_OP_SET:
+			return (SNMP_ERR_NOT_WRITEABLE);
+		case SNMP_OP_GETNEXT:
+			if ((e = NEXT_OBJECT_INT(&pfl_table,
+			    &val->var, sub)) == NULL)
+				return (SNMP_ERR_NOSUCHNAME);
+			val->var.len = sub + 1;
+			val->var.subs[sub] = e->index;
+			break;
+		case SNMP_OP_GET:
+			if (val->var.len - sub != 1)
+				return (SNMP_ERR_NOSUCHNAME);
+			if ((e = pfl_table_find(val->var.subs[sub])) == NULL)
+				return (SNMP_ERR_NOSUCHNAME);
+			break;
+
+		case SNMP_OP_COMMIT:
+		case SNMP_OP_ROLLBACK:
+		default:
+			abort();
+	}
+
+	if ((time(NULL) - pfl_table_age) > PFL_TABLE_MAXAGE)
+		pfl_refresh();
+
+	switch (which) {
+	        case LEAF_pfLabelsLblName:
+			return (string_get(val, e->name, -1));
+		case LEAF_pfLabelsLblEvals:
+			val->v.counter64 = e->evals;
+			break;
+		case LEAF_pfLabelsLblBytesIn:
+			val->v.counter64 = e->bytes[IN];
+			break;
+		case LEAF_pfLabelsLblBytesOut:
+			val->v.counter64 = e->bytes[OUT];
+			break;
+		case LEAF_pfLabelsLblPktsIn:
+			val->v.counter64 = e->pkts[IN];
+			break;
+		case LEAF_pfLabelsLblPktsOut:
+			val->v.counter64 = e->pkts[OUT];
+			break;
+
+		default:
+			return (SNMP_ERR_NOSUCHNAME);
+	}
+
+	return (SNMP_ERR_NOERROR);
+}
+
+int
 pf_tbladdr(struct snmp_context __unused *ctx, struct snmp_value __unused *val,
 	u_int __unused sub, u_int __unused vindex, enum snmp_op __unused op)
 {
@@ -907,6 +1016,17 @@
 	return (NULL);
 }
 
+static struct pfl_entry *
+pfl_table_find(u_int idx)
+{
+	struct pfl_entry *e;
+
+	TAILQ_FOREACH(e, &pfl_table, link)
+		if (e->index == idx)
+			return (e);
+	return (NULL);
+}
+
 static int
 pfi_refresh(void)
 {
@@ -1129,6 +1249,135 @@
 	return(-1);
 }
 
+static int
+pfl_refresh(void)
+{
+	struct pfl_entry *e;
+
+	if (started && this_tick <= pf_tick)
+		return (0);
+
+	pfl_table_count = 0;
+	while (!TAILQ_EMPTY(&pfl_table)) {
+		e = TAILQ_FIRST(&pfl_table);
+		TAILQ_REMOVE(&pfl_table, e, link);
+		free(e);
+	}
+
+	if (pfl_walk_rulesets(""))
+		goto err;
+
+	pfl_table_age = time(NULL);
+	pf_tick = this_tick;
+
+	return (0);
+
+err:
+	pfl_table_count = 0;
+	while (!TAILQ_EMPTY(&pfl_table)) {
+		e = TAILQ_FIRST(&pfl_table);
+		TAILQ_REMOVE(&pfl_table, e, link);
+		free(e);
+	}
+
+	return (-1);
+}
+
+static int
+pfl_walk_rulesets(const char *path)
+{
+	struct pfioc_ruleset prs;
+	char newpath[MAXPATHLEN];
+	u_int32_t nr, i;
+
+	if (pfl_scan_ruleset(path))
+		goto err;
+
+	bzero(&prs, sizeof(prs));
+	strlcpy(prs.path, path, sizeof(prs.path));
+	if (ioctl(dev, DIOCGETRULESETS, &prs)) {
+		syslog(LOG_ERR, "pfl_walk_rulesets: ioctl(DIOCGETRULESETS): %s",
+		    strerror(errno));
+		goto err;
+	}
+
+	for (nr = prs.nr, i = 0; i < nr; i++) {
+		prs.nr = i;
+		if (ioctl(dev, DIOCGETRULESET, &prs)) {
+			syslog(LOG_ERR, "pfl_walk_rulesets: ioctl(DIOCGETRULESET): %s",
+			    strerror(errno));			
+			goto err;
+		}
+
+                if (!strcmp(prs.name, PF_RESERVED_ANCHOR))
+                        continue;
+
+		strlcpy(newpath, path, sizeof(newpath));
+		if (path[0])
+			strlcat(newpath, "/", sizeof(newpath));
+		strlcat(newpath, prs.name, sizeof(newpath));
+
+		if (pfl_walk_rulesets(newpath))
+			goto err;
+	}
+
+	return (0);
+
+err:
+	return (-1);
+}
+
+static int
+pfl_scan_ruleset(const char *path)
+{
+	struct pfioc_rule pr;
+	struct pfl_entry *e;
+	u_int32_t nr, i;
+
+	bzero(&pr, sizeof(pr));
+	strlcpy(pr.anchor, path, sizeof(pr.anchor));
+	pr.rule.action = PF_PASS;
+	if (ioctl(dev, DIOCGETRULES, &pr)) {
+		syslog(LOG_ERR, "pfl_scan_ruleset: ioctl(DIOCGETRULES): %s",
+		    strerror(errno));
+		goto err;
+	}
+
+	for (nr = pr.nr, i = 0; i < nr; i++) {
+		pr.nr = i;
+		if (ioctl(dev, DIOCGETRULE, &pr)) {
+			syslog(LOG_ERR, "pfl_scan_ruleset: ioctl(DIOCGETRULE): %s",
+			    strerror(errno));
+			goto err;
+		}
+
+		if (pr.rule.label[0]) {
+			e = (struct pfl_entry *)malloc(sizeof(*e));
+			if (e == NULL)
+				goto err;
+
+			strlcpy(e->name, path, sizeof(e->name));
+			if (path[0])
+				strlcat(e->name, "/", sizeof(e->name));
+			strlcat(e->name, pr.rule.label, sizeof(e->name));
+
+			e->evals      = pr.rule.evaluations;
+			e->bytes[IN]  = pr.rule.bytes[IN];
+			e->bytes[OUT] = pr.rule.bytes[OUT];
+			e->pkts[IN]   = pr.rule.packets[IN];
+			e->pkts[OUT]  = pr.rule.packets[OUT];
+			e->index      = ++pfl_table_count;
+
+			TAILQ_INSERT_TAIL(&pfl_table, e, link);
+		}
+	}
+
+	return (0);
+
+err:
+	return (-1);
+}
+
 /*
  * check whether altq support is enabled in kernel
  */
@@ -1175,6 +1424,7 @@
 	TAILQ_INIT(&pfi_table);
 	TAILQ_INIT(&pfq_table);
 	TAILQ_INIT(&pft_table);
+	TAILQ_INIT(&pfl_table);
 
 	pfi_refresh();
 	if (altq_enabled) {
@@ -1183,6 +1433,7 @@
 
 	pfs_refresh();
 	pft_refresh();
+	pfl_refresh();
 
 	started = 1;
 
@@ -1195,6 +1446,7 @@
 	struct pfi_entry *i1, *i2;
 	struct pfq_entry *q1, *q2;
 	struct pft_entry *t1, *t2;
+	struct pfl_entry *l1, *l2;
 
 	/* Empty the list of interfaces */
 	i1 = TAILQ_FIRST(&pfi_table);
@@ -1212,7 +1464,7 @@
 		q1 = q2;
 	}
 
-	/* And the list of tables */
+	/* List of tables */
 	t1 = TAILQ_FIRST(&pft_table);
 	while (t1 != NULL) {
 		t2 = TAILQ_NEXT(t1, link);
@@ -1220,6 +1472,14 @@
 		t1 = t2;
 	}
 
+	/* And the list of labeled filter rules */
+	l1 = TAILQ_FIRST(&pfl_table);
+	while (l1 != NULL) {
+		l2 = TAILQ_NEXT(l1, link);
+		free(l1);
+		l1 = l2;
+	}
+
 	close(dev);
 	return (0);
 }
@@ -1232,6 +1492,7 @@
 		pfq_refresh();
 	}
 	pft_refresh();
+	pfl_refresh();
 
 	syslog(LOG_ERR, "Dump: pfi_table_age = %jd",
 	    (intmax_t)pfi_table_age);
@@ -1245,9 +1506,13 @@
 
 	syslog(LOG_ERR, "Dump: pft_table_age = %jd",
 	    (intmax_t)pft_table_age);
-
 	syslog(LOG_ERR, "Dump: pft_table_count = %d",
 	    pft_table_count);
+
+	syslog(LOG_ERR, "Dump: pfl_table_age = %jd",
+	    (intmax_t)pfl_table_age);
+	syslog(LOG_ERR, "Dump: pfl_table_count = %d",
+	    pfl_table_count);
 }
 
 const struct snmp_module config = {
diff -ru snmp_pf.orig/pf_tree.def snmp_pf/pf_tree.def
--- snmp_pf.orig/pf_tree.def	2009-01-10 16:46:38.000000000 +0100
+++ snmp_pf/pf_tree.def	2009-03-18 09:54:20.000000000 +0100
@@ -186,6 +186,20 @@
 		  )
 		)
 	      )
+	      (11 pfLabels
+	        (1 pfLabelsLblNumber INTEGER32 pf_labels GET)
+		(2 pfLabelsLblTable
+		  (1 pfLabelsLblEntry : INTEGER32 pf_lbltable
+		    (1 pfLabelsLblIndex INTEGER32)
+		    (2 pfLabelsLblName OCTETSTRING GET)
+		    (3 pfLabelsLblEvals COUNTER64 GET)
+		    (4 pfLabelsLblBytesIn COUNTER64 GET)
+		    (5 pfLabelsLblBytesOut COUNTER64 GET)
+		    (6 pfLabelsLblPktsIn COUNTER64 GET)
+		    (7 pfLabelsLblPktsOut COUNTER64 GET)
+		  )
+		)
+	      )
             )
           )
         )
--- snmp_pf.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090320091532.GA28471>