On 26/08/2011 6:48 PM, Michael T. Davis wrote: > I'm running... > > ipf: IP Filter: v4.1.29 (396) > Kernel: IP Filter: v4.1.29 > Running: yes > Log Flags: 0 = none set > Default: pass all, Logging: available > Active list: 0 > Feature mask: 0x10e > > ..under NetBSD 5.1 release i386. I was wondering if there's a way to > partially wildcard an IP address specified with -D or -S as options to > `ipfstat -t'? For example, this will tell me about SSH connections: > > ipfstat -t -P tcp -D any,22 > > What if I'm only interested in such traffic coming from a particular subnet? > -D/-S doesn't seem to accept CIDRs and/or <addr/mask>. The following kinds > of queries would be helpful: > > ipfstat -t -P tcp -S 192.168.2.0/24,any -D any,22 > > ipfstat -t -P tcp -S 10.2.*.*.any -D any,22 > > ipfstat -t -P tcp -S 172.16.4.0/255.255.255.240,any -D any,22
No, -S/-D only support exact IP matching... and I'm not that inclined to expand it further as the syntax doesn't have room to grow in a meaningful way. > > ..Maybe in ipf v5.11? Yes. If you are using 5.1.1, try this: ipfstat -m 'ip.src=10.2.0.0/16;' -t -P tcp It's not very sophisticated and needs more work but in which direction I'm not yet sure, vis a vis: https://sourceforge.net/tracker/?func=detail&aid=3487103&group_id=169098&atid=849056 > Also, is the only way to reset the state statistics reported by > `ipstat' or `ipstat -s' to reboot? Not yet... https://sourceforge.net/tracker/?func=detail&aid=3487102&group_id=169098&atid=849056 Darren
