--- Sven Ingebrigt Ulland <[EMAIL PROTECTED]> wrote:
> I'm keeping basic in/out IP accounting info using > labels. However, > consider this simple ruleset: > > > pass out keep state > > pass in on $int_if from $client1 to ! $localnet > label "Client1_out" > pass out on $int_if from ! $localnet to $client1 > label "Client1_in" > > > Of course, when keeping state, packets matching the > state effectively > skip the rest of the ruleset. According to > <URL:http://www.openbsd.org/faq/pf/filter.html#state>: > "[...] not only do packets going from the sender to > receiver match the > state entry and bypass ruleset evaluation, but so do > the reply packets > from receiver to sender." > > Does this mean that basic label-based IP accounting > won't mix with > keeping state at all? Please note that I cannot > simply count incoming > and outgoing packets/bytes on each interface, since > only routed > "internet" traffic should be accounted for -- not > traffic on the local > net, including between clients and the router > itself. > > > regards, > sven > there is patch in current http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c which allow counting in/out packets + in/out bytes from labels. If you use keep state, all directions are count, in/out pass in on $int_if from $client1 to ! $localnet label "Client1_out" $Client1_out 845 11941 5413693 6723 715196 5218 4698497 http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html -s labels Show per-rule statistics (label, evaluations, packets total, bytes total, packets in, bytes in, packets out, bytes out) of filter rules with la- bels, useful for accounting. Best regard T.Koychev Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie) Key fingerprint=2499 DE87 82ED 23A8 FD20 3078 04FE 610E 300D 6655 ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
