From owner-freebsd-pf@FreeBSD.ORG Wed Jul 4 05:41:19 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AFBBE16A41F for ; Wed, 4 Jul 2007 05:41:19 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from viefep32-int.chello.at (viefep18-int.chello.at [213.46.255.22]) by mx1.freebsd.org (Postfix) with ESMTP id F308E13C44C for ; Wed, 4 Jul 2007 05:41:18 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from novel.renet.ru ([82.116.33.234]) by viefep28-int.chello.at (InterMail vM.7.08.02.02 201-2186-121-104-20070414) with ESMTP id <20070704052505.KZCJ23618.viefep28-int.chello.at@novel.renet.ru> for ; Wed, 4 Jul 2007 07:25:05 +0200 Date: Wed, 4 Jul 2007 09:26:40 +0400 From: Roman Bogorodskiy To: freebsd-pf@freebsd.org Message-ID: <20070704052640.GA72918@underworld.novel.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1" Content-Disposition: inline X-PGP: http://people.freebsd.org/~novel/novel.key.asc Subject: using pfctl -s labels and keep state for traffic accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jul 2007 05:41:19 -0000 --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I'm going to use pf's label feature for traffic accounting, i.e. creating an anchor for being able to add/remove rules with labels on fly and parse the output of pfctl -s labels. However, I spotted some problems with such an approach. When using 'keep state' it seems to have some limitations. First of all, it doesn't seem to allow to account in only one direction. Well, it was expected because states works that way. But calculating traffic in both directions give stange resuls too. I have a rule: pass log quick on $ext_if proto tcp from self to some_host port https label "labels:test", I have a file on https which I download. After first try it gives:=20 labels:test 284 23 2943 Then I add 'keep state', reload the rules file, check if the counters are zeroed and download the same file again and get: labels:test 3 46 29427 Why does it happen that way? BTW, is there some other limitations to the approach of traffic accounting based on pf labels? Roman Bogorodskiy --n8g4imXOkfNTN/H1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iQCVAwUBRosvkIB0WzgdqspGAQJF7wP/Z2oNbWeFb1rwE2Pl0KWyoHAAxaHDK2Sj rDzu/n8mF74lGPFXY4toPFlzHGaYD2FF44S9rOhzfz38TjZpyehtXZEAuusUvJm1 st5NpC1sHN9rp7htgkYXFG/qb0UBGN69cLKOeK00BUE9S3//mKjrL8//t38Uau3X FOToG0NBMvY= =18mZ -----END PGP SIGNATURE----- --n8g4imXOkfNTN/H1--