Firewall rules hitcount for pfSense 2.1.5 and 2.2.4

marcelloc

@athurdent:

On to the next problem, Port Aliases. While pf let's us write single-line rules with something like

port {  25  465  587 }

it automatically creates a separate rule for every single port. pfctl will show three rules for the example above whilst our ruleset only has a single rule for this.

check if new code fixes it. (v0.31)

@78(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = http flags S/SA keep state label "USER_RULE: 1439883226"
  [ Evaluations: 17        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 23535 State Creations: 3319624344]
@79(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = https flags S/SA keep state label "USER_RULE: 1439883226"
  [ Evaluations: 17        Packets: 763       Bytes: 442121      States: 6     ]
  [ Inserted: pid 23535 State Creations: 3319624408]
@80(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = ssh flags S/SA keep state label "USER_RULE: 1439883226"
  [ Evaluations: 1         Packets: 555       Bytes: 81812       States: 1     ]
  [ Inserted: pid 23535 State Creations: 3321614424]
@81(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = 8443 flags S/SA keep state label "USER_RULE: 1439883226"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 23535 State Creations: 3321614400]
@82(1439883226) pass in quick on em0 reply-to (em0 172.17.12.1) inet proto tcp from any to (self:3) port = domain flags S/SA keep state label "USER_RULE: 1439883226"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: pid 23535 State Creations: 3321614376]

athurdent

Thanks, works great.
But one odd thing I noticed is, that rules with multiple ports like those you fixed seem to get their counter cleared on every filter reload. At the same time, my other "normal" rules do not suffer from this.
Are you seeing this too, or am I doing something wrong?

marcelloc

More features on version 0.4 for pfsense 2.2, now we can view hit count, list and kill States(with ajax to keep it light and fast).

JackL

Very nice!

Good job as always, marcelloc!

[]`s
Jack

athurdent

marcelloc, the lastest update works great, thanks again.

Still, the new hitcount feature reveals that some rules with multiple ports like "{  25  465  587 }" or multiple protocols like "{ tcp udp }" get their packet/byte counter reset on reload. Evaluations / State Creations seem not affected. Nobody else seeing this?

haddock

Awesome feature!

Can't wait to see this merged upstream!  ;D

Gertjan

Good job.
Test-driving it on a 2.2.4. Works as advertised.

Git->Clone->Patch->Push-request this  :)

bennyc

+1 thanks Marcello, really useful feature.
Love to see that merged also  ;D

marcelloc

Pull request sent do 2.3-DEVELOPMENT

https://github.com/pfsense/pfsense/pull/1892

LinuxTracker

Very, very nice.

(Also: One more column of info feels like a step toward widescreen display!)

marcelloc

I suggest all who cant test to do it on 2.2 and/or 2.3-devel and comment on pull request. Maybe with more people testing, it get merged faster…

LinuxTracker

@marcelloc:

I suggest all who cant test to do it on 2.2 and/or 2.3-devel and comment on pull request. Maybe with more people testing, it get merged faster…

Done.

The more I play with this the more I like it.
On mouseover, I get the data I was trying (unsuccessfully) to glean out of pfTop.

marcelloc

@LinuxTracker:

The more I play with this the more I like it.

me too.  :)

@LinuxTracker:

On mouseover, I get the data I was trying (unsuccessfully) to glean out of pfTop.

Great!

marcelloc

Send a new pull request with almost all code working on 2.3 with bootstrap.

I'll need some help to adjust the code to popup traffic on rule click.
The code is there but is not visible after ajax return.

https://github.com/pfsense/pfsense/pull/1901

brandur

I noticed that 2.3 is nearing Beta stage. Has your great improvement been merged with 2.3(and approved)?

marcelloc

@brandur:

I noticed that 2.3 is nearing Beta stage. Has your great improvement been merged with 2.3(and approved)?

unfortunately no. :(

brandur

@marcelloc:

@brandur:

I noticed that 2.3 is nearing Beta stage. Has your great improvement been merged with 2.3(and approved)?

unfortunately no. :(

That is just very sad news  :'(
Was there any particular reason it didn't "make it"?

(Then the question becomes. Are you going to try to get it committed for a higher version?)

bennyc

Hmm, not nice because this was a super no brainer feature that was very very helpful  >:(
I see the pull request has a "CLA label". I have no idea for what CLA stands in this case  :-[ Could someone shed a light here?

phil.davis

I see the pull request has a "CLA label". I have no idea for what CLA stands in this case  :-[ Could someone shed a light here?[/quote]
That means that the contributor has correctly completed the relevant licensing agreement. So that is a good thing.

From the comments on https://github.com/pfsense/pfsense/pull/1901 it seems that there is some thought to add some support in binaries to make it more efficent to do. But for some reason progress in those comments stops in late Sep 2015.

RonpfS

Cool feature  ;)

However on 2.2.6 x32, with pfBlockerNG, it does break pftop/Label
Before it was : USERRULES: pfB_PR, after patching it shows :USERRULES: 1770001532

and the Status: System logs: Firewall Rule column
Instead of displaying pfB_PRI3 auto rule (1770001532) it shows 1770001532 (1770001532)