Instances
An instance defines entry points (physical interfaces) in PacketShield and one or more applicable rule sets (context).
An instance is designated by a name.
Each instance owns its own session table and configuration.
Use sysfs entry
You manage instances using the sysfs entry /sys/packetshield/instances
.
Create an instance
Using the GUI
Use the statement instances
followed by the <instance name>
.
instances myinst
Using sysfs
Write +<instance name>
in the sysfs entry.
$ echo "+myinst" > /sys/packetshield/instances
Destroy an instance
Using the GUI
Remove the instances
line that creates it.
Using sysfs
Write -<instance name>
in the sysfs entry.
$ echo "-myinstance" > /sys/packetshield/instances
List a currently configured instance
This function is only available using the CLI.
Read the content of the file /sys/packetshield/instances.
$ cat /sys/packetshield/instances
myinst3
myinst2
myinst1
Set options
sysfs
Display and set options using respectively read / write operations on sysfs files present in the directory /sys/packetshield/<instance name>/<option>
.
$ echo 30 > /sys/packetshield/myinst/ack_session_timeout
$ echo 4 > /sys/packetshield/myinst/syn_session_timeout
GUI
Configure options using the following scheme: <instance name>/<option> followed by the desired parameter value.
myinst/ack_session_timeout 30
myinst/syn_session_timeout 4
The following options are available:
Option | Default | Description |
---|---|---|
| 60 s | When an ACK packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value |
| 10 s | When a SYN packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value |
| 60 s | When an RST packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value |
| 60 s | When a DNS response packet arrives, the corresponding session is considered invalid if the elapsed time since the corresponding DNS request is greater than this value |
Get instance statistics
This function is only available using CLI.
You can get an instance's statistics counters using the sysfs entry /sys/packetshield/<instance name>/stats.
$ cat /sys/packetshield/myinst/stats
rx_total : 56741
capmissed : 56502
tx_total : 11329
rx_total | total incoming packets on current instance |
tx_total | total outgoing packets on current instance (except packets generated by PacketShield like syncookies) |
capmissed | incoming packets not copied to debugging capture slots |
Debug instance
This function is only available using CLI.
PacketShield provides an interface to retrieve all incoming packets capture on an instance.
This interface is available in the directory /sys/packetshield/<instance name>/
raw.cap | This sysfs entry is directly readable and provides capture in pcap format. |
$ tcpdump -r /sys/packetshield/myinst/raw.cap
reading from file raw.cap, link-type EN10MB (Ethernet)
This interface does not give the best performances because:
A sysfs read operation is limited and cannot return more that one page size (4096 Bytes).
A read operation induces a memory copy of all packets capture.
Next up
LVS and Synproxy