tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
npf stats (was: Re: CVS commit: src/sys/net/npf)
On Tue, Jul 08, 2025 at 04:42:34PM +0000, Emmanuel Nyarko wrote:
> > On 8 Jul 2025, at 4:25 PM, Greg Troxel <gdt%lexort.com@localhost> wrote:
> > Emmanuel Nyarko <emmankoko519%gmail.com@localhost> writes:
> > Sorry, I missed that. I scanned the output from npfctl on the left and
> > didn't realize the first line had 5 separate verbs. I'm going to say
> > that's my fault and it's ok.
> >
> > It would probably be good to improve granularity, perhaps in/out to
> > start with, and "ether" probably should be layer-2 to be consistent.
While we have free wishes, I want per rule counters like iptables/nftables.
Partial output from "nft list ruleset":
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related counter packets 27065434 bytes 20944420663 accept
iifname != "ppp0" counter packets 356074 bytes 115047461 accept
oifname "ppp0" counter packets 0 bytes 0 accept
iifname "ppp0" goto external-traffic-common
ct state invalid counter packets 0 bytes 0 reject
}
chain output {
type filter hook output priority filter; policy accept;
oif "lo" counter packets 24 bytes 2040 accept
}
chain external-traffic-common {
icmp type echo-request counter packets 113963 bytes 7624741 accept
icmpv6 type echo-request counter packets 1756 bytes 99342 accept
ip saddr 188.246.0.82 udp dport { 5060, 7077-7110 } counter packets 1 bytes 650 accept
ip saddr 85.88.27.200/29 udp dport 123 counter packets 1081 bytes 82156 accept
tcp dport 22 counter packets 21918 bytes 1725340 accept
tcp dport { 80, 443 } counter packets 13625 bytes 708723 accept
udp dport { 500, 4500 } counter packets 935 bytes 275688 accept
meta l4proto esp counter packets 0 bytes 0 accept
}
--chris
Home |
Main Index |
Thread Index |
Old Index