Metrics

This feature is only available using the CLI.

Status and statistic counters are available through the sysfs entry /sys/packetshield/<instance name>/<context id>/stats.

nix
cat /sys/packetshield/myinst/Other/stats

nix
cat /sys/packetshield/myinst/Other/stats

output
text
status     : 0x0000
rx_total   : 0
invalid    : 0
whitelisted: 0
filtered   : 0
out_related: 0
dns_resp   : 0
udp_rsp    : 0
syn        : 0
rst        : 0
ack        : 0
unknown_ttl: 0
ttlfiltered: 0
established: 0
newconns   : 0
unmatched  : 0
syncookie  : 0
drop_syn   : 0
drop_rst   : 0
drop_ack   : 0
delivered  : 0
tx_total   : 0
quic_init  : 0
quic_0rtt  : 0
quic_hshak : 0
quic_shrth : 0
quicretry  : 0
drop_qnt   : 0
drop_q0t   : 0
drop_qhs   : 0
drop_qsh   : 0

output
text
status     : 0x0000
rx_total   : 0
invalid    : 0
whitelisted: 0
filtered   : 0
out_related: 0
dns_resp   : 0
udp_rsp    : 0
syn        : 0
rst        : 0
ack        : 0
unknown_ttl: 0
ttlfiltered: 0
established: 0
newconns   : 0
unmatched  : 0
syncookie  : 0
drop_syn   : 0
drop_rst   : 0
drop_ack   : 0
delivered  : 0
tx_total   : 0
quic_init  : 0
quic_0rtt  : 0
quic_hshak : 0
quic_shrth : 0
quicretry  : 0
drop_qnt   : 0
drop_q0t   : 0
drop_qhs   : 0
drop_qsh   : 0

status Jump to heading #

Current status of the context This value is a bitfield. It can be one or a combination of the different following values:

For example, the value 0x0005 means both SYN cookie and unmatched drop protections are enabled.

rx_total Jump to heading #

Counter of incoming packets on current context.

invalid Jump to heading #

Counter of invalid (from a protocol point of view) incoming packets on current context.

Possible reasons are:

• spoofed source address (same source and dest)
• bad checksums
• UDP or TCP len greater that total IP len
• SYN contains data without tcp fast open option
• RST contains data
• Invalid TCP flags combination

whitelisted Jump to heading #

Counter of accepted incoming packets because they match one of the allowlist (whitelist) rules:

• L4 protocol used is allowlisted
• source address is allowlisted
• TCP/UDP destination port is allowlisted

filtered Jump to heading #

Counter of dropped packets because of configured policy.

Possible reasons are:

• denylisted source IP
• neither protected nor allowlisted TCP destination port and the packet is not related to a known session
• UDP packet whose destination port is not allowlisted and the packet is not a response to a known DNS query

out_related Jump to heading #

Counter of accepted incoming TCP packets related to a known outbound session.

dns_rsp Jump to heading #

Counter of accepted incoming UDP packets related to a known outbound DNS query.

udp_rsp Jump to heading #

Counter of accepted incoming UDP packets related to a known outbound UDP packet.

syn Jump to heading #

Counter of incoming TCP SYN packets.

rst Jump to heading #

Counter of incoming TCP RST packets.

ack Jump to heading #

Counter of incoming TCP ACK packets.

unknown_ttl Jump to heading #

Counter of incoming packets with a suspect TTL.

ttlfiltered Jump to heading #

Counter of dropped packets in order to validate TTLs.

established Jump to heading #

Counter of accepted incoming TCP packets related to a known session.

newconns Jump to heading #

Counter of incoming TCP SYN packets on protected TCP ports which are not TCP retransmit (new connections) or incoming QUIC INIT/0-RTT packets which do not contain a token.

unmatched Jump to heading #

Counter of incoming TCP RST and ACK packets or incoming QUIC handshake/short header packets on protected ports and not related to an established session.

syncookie Jump to heading #

Counter of successfully generated SYN cookies.

drop_syn Jump to heading #

Counter of dropped SYN packets because generation of SYN cookies failed.

drop_rst Jump to heading #

Counter of dropped incoming TCP RST packets on protected port because not related to a known session.

drop_ack Jump to heading #

Counter of dropped incoming TCP ACK packets on protected port because not related to a known session.

delivered Jump to heading #

Counter of packets delivered to system stack.

If surge protect mode is reached the counter presents the number of packets dropped instead of being delivered.

total_tx Jump to heading #

Counter of total outgoing packets (except generated ones).

quic_init Jump to heading #

Counter of incoming datagrams starting with a QUIC INIT packet on UDP protected ports.

quic_0rtt Jump to heading #

Counter of incoming datagrams starting with a QUIC 0-RTT packet on UDP protected ports.

quic_hshak Jump to heading #

Counter of incoming datagrams starting with a QUIC handshake packet on UDP protected ports.

quic_shrth Jump to heading #

Counter of incoming datagrams starting with a QUIC short header packet on UDP protected ports.

quicretry Jump to heading #

Counter of successfully generated QUIC retry packets including a token.

drop_qnt Jump to heading #

Counter of dropped datagrams starting with a QUIC INIT packet (for example, those dropped for containing an invalid token).

drop_q0t Jump to heading #

Counter of dropped datagrams starting with a QUIC 0RTT packet (dropped if new_cook protection is toggled).

drop_qhs Jump to heading #

Counter of dropped datagrams starting with a QUIC handshake packet (dropped because they are not part of an existing session and unmatch protection is enabled).

drop_qsh Jump to heading #

Counter of dropped datagrams starting with a QUIC short header packet (not part of an existing session and unmatch protection is enabled).