[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: interpreting pfctl -s info
From:       Daniel Hartmeier <daniel () benzedrine ! cx>
Date:       2002-12-25 3:40:24
[Download RAW message or body]

On Tue, Dec 24, 2002 at 04:21:05PM -0500, Michael Lucas wrote:

> I'm not certain how to interpret the output of some pfctl -s entries.
> 
> State Table                          Total             Rate
>   current entries                        5               
>   searches                          630042            7.7/s
>   inserts                             1725            0.0/s
>   removals                            1720            0.0/s
> 
> "Current entries" is obvious, but what are "searches", "inserts," and
> "removals"?

They refer to state table entries. "searches" is incremented whenever
a state table lookup is done, which happens whenever a packet passes an
interface (twice for each forwarded packet).

"inserts" and "removals" are incremented when a state table entry is
created and destroyed, respectively. The difference between the two
totals should equal the number of current state table entries (unless
you reset them while leaving state entries intact, etc.), and the
two rates tend to get equal over time, and approximate the number of
newly established connection per second.

> Counters
>   match                               2504            0.0/s
>   bad-offset                             0            0.0/s
>   fragment                               0            0.0/s
>   short                                  0            0.0/s
>   normalize                              0            0.0/s
>   memory                                 0            0.0/s
> 
> The counters bad-offset, fragment, and short appear to be that sort of
> packet.  I would guess that "normalize" is the number of packets
> normalized by scrub.

It's the number of packets dropped by normalization. The packets that
were passed after normalization are not counted there.

> That leaves me wondering what "match" and "memory" mean.

"match" is incremented whenever a packet causes a ruleset evaluation and
a last matching rule is found. It's mainly useful in comparison with the
evaluation counters of individual rules (pfctl -vsr), or when comparing
the match rate vs. the state searches rate.

"memory" counts the number of packets dropped due to memory allocation
failures. If the memory pool limits set with 'set limit states/frags'
are reached, further packets/fragments that would require memory
allocation will be dropped. With high enough limits, this counter
shouldn't get very high. If it does, the limits should probably be
increased.

Daniel

[prev in list] [next in list] [prev in thread] [next in thread]