[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Can IP addresses be partially wildcarded w/ `ipfstat -t'?
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2012-02-12 21:47:38
Message-ID: 28607_1329083967_4F38363E_28607_10452_1_4F38337A.6000701 () reed ! wattle ! id ! au
[Download RAW message or body]

On 26/08/2011 6:48 PM, Michael T. Davis wrote:
> 	I'm running...
>
>  ipf: IP Filter: v4.1.29 (396)
>  Kernel: IP Filter: v4.1.29
>  Running: yes
>  Log Flags: 0 = none set
>  Default: pass all, Logging: available
>  Active list: 0
>  Feature mask: 0x10e
>
> ..under NetBSD 5.1 release i386.  I was wondering if there's a way to
> partially wildcard an IP address specified with -D or -S as options to
> `ipfstat -t'?  For example, this will tell me about SSH connections:
>
>                           ipfstat -t -P tcp -D any,22
>
> What if I'm only interested in such traffic coming from a particular subnet?
> -D/-S doesn't seem to accept CIDRs and/or <addr/mask>.  The following kinds
> of queries would be helpful:
>
>                ipfstat -t -P tcp -S 192.168.2.0/24,any -D any,22
>
>                   ipfstat -t -P tcp -S 10.2.*.*.any -D any,22
>
>          ipfstat -t -P tcp -S 172.16.4.0/255.255.255.240,any -D any,22

No, -S/-D only support exact IP matching...
and I'm not that inclined to expand it further as the syntax
doesn't have room to grow in a meaningful way.

>
> ..Maybe in ipf v5.11?

Yes. If you are using 5.1.1, try this:

ipfstat -m 'ip.src=10.2.0.0/16;' -t -P tcp

It's not very sophisticated and needs more work but
in which direction I'm not yet sure, vis a vis:
https://sourceforge.net/tracker/?func=detail&aid=3487103&group_id=169098&atid=849056

> 	Also, is the only way to reset the state statistics reported by
> `ipstat' or `ipstat -s' to reboot?

Not yet...
https://sourceforge.net/tracker/?func=detail&aid=3487102&group_id=169098&atid=849056

Darren

[prev in list] [next in list] [prev in thread] [next in thread]