[feature request] will hit count be present in pfsense 2.3 ?



  • hi , hit count patch by marcelloc be present in pfsense 2.3 ?

    thanks ?



  • up  ?



  • @whitexp:

    hi , hit count patch by marcelloc be present in pfsense 2.3 ?

    thanks ?

    Unfortunately it didn't make it.
    https://forum.pfsense.org/index.php?topic=97925.msg584705#msg584705

    Hopefully it will be corrected against master and made available as a system patch in the meanwhile.



  • After a new function added to pfsene 2.3, I've updated the code to today's beta version.

    I think it's close to get merged.








  • Sadly, some of my rules get their counters reset when a Filter Reload takes place. I believe it's related to using Port Aliases. Here's a rule with Port Aliases before and after a Filter Reload:

    Before:

    
    [2.3-BETA][root@pfsense]/root: pfctl -vvsr | grep -A32 "@175"
    @175(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = ftp flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1087      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 20721 State Creations: 0     ]
    @176(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = nicname flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1087      Packets: 10        Bytes: 2981        States: 1     ]
      [ Inserted: pid 20721 State Creations: 1     ]
    @177(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = http flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 20721 State Creations: 0     ]
    @178(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = ntp flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 20721 State Creations: 0     ]
    @179(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = https flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 20721 State Creations: 0     ]
    @180(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = rtsp flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 20721 State Creations: 0     ]
    @181(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = nntps flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 20721 State Creations: 0     ]
    @182(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = imaps flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1086      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 20721 State Creations: 0     ]
    @183(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port 1023:65535 flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1086      Packets: 40        Bytes: 2324        States: 4     ]
      [ Inserted: pid 20721 State Creations: 4     ]
    @184(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = pop3s flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1082      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 20721 State Creations: 0     ]
    @185(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = daytime flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1082      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 20721 State Creations: 0     ]
    
    

    and after:

    
      [2.3-BETA][root@pfsense]/root: pfctl -vvsr | grep -A32 "@175"
    @175(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = ftp flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1093      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    @176(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = nicname flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1093      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    @177(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = http flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1093      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    @178(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = ntp flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1093      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    @179(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = https flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1093      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    @180(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = rtsp flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1093      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    @181(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = nntps flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1093      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    @182(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = imaps flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1093      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    @183(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port 1023:65535 flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1093      Packets: 10        Bytes: 582         States: 1     ]
      [ Inserted: pid 73316 State Creations: 1     ]
    @184(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = pop3s flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1092      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    @185(1416374367) pass in quick on igb0 route-to (igb1 *.*.*.1) inet proto tcp from *.*.*.0/24 to any port = daytime flags S/SA keep state label "USER_RULE: Allow Ports TCP IPv4"
      [ Evaluations: 1092      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: pid 73316 State Creations: 0     ]
    
    


  • Another problem:

    One seems to have to edit & save rules that are auto-created as associated Firewall rules for NAT rules.
    If they are not edited once, with pfctl -vvsr they look like:

    @100(0) 
    

    and it seems the 0 is some kind of rule ID. Because all auto-created rules with 0 show the same data.
    Editing the rule once makes it show up like this:

    @100(1454050846)
    

    Afterwards data seems to be accurate.



  • @athurdent:

    Another problem:

    One seems to have to edit & save rules that are auto-created as associated Firewall rules for NAT rules.
    If they are not edited once, with pfctl -vvsr they look like:

    @100(0) 
    

    Associated firewall rules were missing the tracker ID. I just fixed that. For existing rules, either edit and save, or once you go through an upgrade that includes the config revision 14.1 upgrade, it'll add any missing tracker tags.



  • Great, thanks! That was quick :)
    GitSynced, gave it a quick test and it worked like a charm.