tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NPF statistics
Hi,
recently i have found myself using npf statictics to debug a lot of npf rules for people
and the data i get sometimes doesn’t help me enough and faster especially when different address families are involved.
i want to add a few changes to the statistics output. i think this has been discussed with Greg Troxel before.
1. separate ipv4 and ipv6 statictics for each event.
2. add a -inet4 and -inet6 to npfctl stats
npfctl stats -inet4 shows for only ipv4
npfctl stats -inet6 shows for only v6.
not passing any flag shows both v4 and v6
3. make room for differences in v4 and v6 like v4 NAT and v6 NPT which is currently almost embedded in one.
This is a diff of the expected (not compilable ), but just a short view of how stats could look like.
RCS file: /cvsroot/src/usr.sbin/npf/npfctl/npfctl.c,v
retrieving revision 1.67
diff -u -r1.67 npfctl.c
--- usr.sbin/npf/npfctl/npfctl.c 1 Jul 2025 19:55:16 -0000 1.67
+++ usr.sbin/npf/npfctl/npfctl.c 23 Dec 2025 14:20:24 -0000
@@ -138,7 +138,8 @@
int index;
const char * name;
} stats[] = {
- { -1, "Packets passed" },
+ { -1, "INET4", "IPv4 packet statistics" },
+ { -1, " Packets passed" },
{ NPF_ETHER_STAT_PASS, "ether pass" },
{ NPF_STAT_PASS_DEFAULT, "default pass" },
{ NPF_STAT_PASS_RULESET, "ruleset pass" },
{ NPF_STAT_PASS_CONN, "state pass" },
{ -1, "Packets blocked" },
{ NPF_ETHER_STAT_BLOCK, "ether block" },
{ NPF_STAT_BLOCK_DEFAULT, "default block" },
{ NPF_STAT_BLOCK_RULESET, "ruleset block" },
{ -1, "State and NAT entries" },
{ NPF_STAT_CONN_CREATE, "state allocations”},
{ NPF_STAT_CONN_DESTROY, "state destructions”},
{ NPF_STAT_NAT_CREATE, "NAT entry allocations" },
{ NPF_STAT_NAT_DESTROY, "NAT entry destructions”} ,
{ -1, "Network buffers" },
{ NPF_STAT_NBUF_NONCONTIG, "non-contiguous cases" },
{ NPF_STAT_NBUF_CONTIG_FAIL, "contig alloc failures" },
{ -1, "Invalid packet state cases" },
{ NPF_STAT_INVALID_STATE, "cases in total" },
{ NPF_STAT_INVALID_STATE_TCP1, "TCP case I" },
{ NPF_STAT_INVALID_STATE_TCP2, "TCP case II" },
{ NPF_STAT_INVALID_STATE_TCP3, "TCP case III" },
{ -1, "Packet race cases" },
{ NPF_STAT_RACE_NAT, "NAT association race" },
{ NPF_STAT_RACE_CONN, "duplicate state race" },
{ -1, "Fragmentation" },
{ NPF_STAT_FRAGMENTS, "fragments" },
{ NPF_STAT_REASSEMBLY, "reassembled" },
{ NPF_STAT_REASSFAIL, "failed reassembly" },
{ -1, "Other" },
{ NPF_STAT_ERROR, "unexpected errors" },
+
+
+ { -1, "INET6", "IPv6 packet statistics" },
+ { -1, " Packets passed" },
+ { NPF_ETHER_STAT_PASS, "ether pass" },
+ { NPF_V6_STAT_PASS_DEFAULT, "default pass" },
+ { NPF_V6_STAT_PASS_RULESET, "ruleset pass" },
+ { NPF_V6_STAT_PASS_CONN, "state pass" },
+
+ { -1, "Packets blocked" },
+ { NPF_V6_ETHER_STAT_BLOCK, "ether block" },
+ { NPF_V6_STAT_BLOCK_DEFAULT, "default block" },
+ { NPF_V6_STAT_BLOCK_RULESET, "ruleset block" },
+
+ { -1, "State and NPT entries" },
+ { NPF_V6_STAT_CONN_CREATE, "state allocations"},
+ { NPF_V6_STAT_CONN_DESTROY, "state destructions"},
+ { NPF_STAT_NPT_CREATE, "NPT entry allocations" },
+ { NPF_STAT_NPT_DESTROY, "NPT entry destructions"},
+
+ { -1, "Network buffers" },
+ { NPF_V6_STAT_NBUF_NONCONTIG, "non-contiguous cases" },
+ { NPF_V6_STAT_NBUF_CONTIG_FAIL, "contig alloc failures" },
+
+ { -1, "Invalid packet state cases" },
+ { NPF_V6_STAT_INVALID_STATE, "cases in total" },
+ { NPF_v6_STAT_INVALID_STATE_TCP1, "TCP case I" },
+ { NPF_V6_STAT_INVALID_STATE_TCP2, "TCP case II" },
+ { NPF_V6_STAT_INVALID_STATE_TCP3, "TCP case III" },
+
+ { -1, "Packet race cases" },
+ { NPF_STAT_RACE_NPT, "NAT association race" },
+ { NPF_V6_STAT_RACE_CONN, "duplicate state race" },
+
+ { -1, "Fragmentation" },
+ { NPF_V6_STAT_FRAGMENTS, "fragments" },
+ { NPF_V6_STAT_REASSEMBLY, "reassembled" },
+ { NPF_V6_STAT_REASSFAIL, "failed reassembly" },
+
+ { -1, "Other" },
+ { NPF_V6_STAT_ERROR, "unexpected errors" },
};
Emmanuel
Home |
Main Index |
Thread Index |
Old Index