PacketShield

Instances

On this page

An instance defines entry points (physical interfaces) in PacketShield and one or more applicable rule sets (context).

  • An instance is designated by a name.

  • Each instance owns its own session table and configuration.

Caution

The keywords instances and version are reserved and cannot be used as an instance name.

Use sysfs entry Jump to heading

You manage instances using the sysfs entry /sys/packetshield/instances.

Create an instance Jump to heading

Using the GUI Jump to heading

Use the statement instances followed by the <instance name>.

text
instances myinst
text
instances myinst

Using sysfs Jump to heading

Write +<instance name> in the sysfs entry.

nix
echo "+myinst" > /sys/packetshield/instances
nix
echo "+myinst" > /sys/packetshield/instances

Destroy an instance Jump to heading

Caution

When you destroy an instance, you also destroy all its configuration, contexts, and statistics and detach all attached network interfaces.

Using the GUI Jump to heading

Remove the instances line that creates it.

Using sysfs Jump to heading

Write -<instance name> in the sysfs entry.

text
echo "-myinstance" > /sys/packetshield/instances
text
echo "-myinstance" > /sys/packetshield/instances

List a currently configured instance Jump to heading

This function is only available using the CLI.

Read the content of the file /sys/packetshield/instances.

nix
cat /sys/packetshield/instances
nix
cat /sys/packetshield/instances
output
text
myinst3
myinst2
myinst1
output
text
myinst3
myinst2
myinst1

Set options Jump to heading

sysfs Jump to heading

Display and set options using respectively read / write operations on sysfs files present in the directory /sys/packetshield/<instance name>/<option>.

nix
echo 30 > /sys/packetshield/myinst/ack_session_timeout
echo 4 > /sys/packetshield/myinst/syn_session_timeout
nix
echo 30 > /sys/packetshield/myinst/ack_session_timeout
echo 4 > /sys/packetshield/myinst/syn_session_timeout

GUI Jump to heading

Configure options using the following scheme: /

text
myinst/ack_session_timeout 30
myinst/syn_session_timeout 4
text
myinst/ack_session_timeout 30
myinst/syn_session_timeout 4

The following options are available:

Option Default Description
ack_session_timeout 60s When an ACK packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value.
syn_session_timeout 10s When a SYN packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value.
rst_session_timeout 60s When an RST packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value.
dns_session_timeout 60s When a DNS response packet arrives, the corresponding session is considered invalid if the elapsed time since the corresponding DNS request is greater than this value.
udp_session_timeout 60s When a UDP packet arrives, the corresponding session is considered invalid if the elapsed time since the corresponding UDP outgoing packet is greater than this value.
qhs_session_timeout 10s Available since version 15.5. When a QUIC handshake packet arrives, the corresponding session is considered invalid if the elapsed time since the previous incoming handshake packet or the last outgoing init packet is greater than this value.
qsh_session_timeout 60s Available since version 15.5. When a QUIC short header packet arrives, the corresponding session is considered invalid if the elapsed time since the previous incoming handshake packet or short header is greater than this value.

Get instance statistics Jump to heading

This function is only available using CLI.

You can get an instance's statistics counters using the sysfs entry /sys/packetshield/<instance name>/stats.

nix
cat /sys/packetshield/myinst/stats
nix
cat /sys/packetshield/myinst/stats
output
text
rx_total  : 56741
capmissed : 56502
tx_total  : 11329
output
text
rx_total  : 56741
capmissed : 56502
tx_total  : 11329
Statistic Description
rx_total total incoming packets on current instance
tx_total total outgoing packets on current instance (except packets generated by PacketShield like SYN cookies)
capmissed incoming packets not copied to debugging capture slots

Info

During a capture dump, if the capmissed statistic continues to rise, it means that the capture reader does not read fast enough nd some packets are not captured because the slots are full.

Debug instance Jump to heading

This function is only available using CLI.

PacketShield provides interfaces to retrieve all incoming packets captured on an instance.

This interfaces are available in the directory /sys/packetshield/<instance name>/.

Info

PacketShield uses a limited number of recycled memory slots to capture packets. If the reader is not fast enough, all slots are used and some packets will not be captured.

Interfaces:

  • raw.cap
    • This sysfs entry is directly readable and provides capture in pcap format. This interface provides limited performance because a sysfs read operation cannot return more that one page size (4096 bytes). Also, a read operation induces a memory copy of all packets captured.
    • Example:
      nix
      tcpdump -r /sys/packetshield/myinst/raw.cap
      nix
      tcpdump -r /sys/packetshield/myinst/raw.cap
      output
      text
      reading from file raw.cap, link-type EN10MB (Ethernet)
      output
      text
      reading from file raw.cap, link-type EN10MB (Ethernet)
  • capture.map
    • A read operation on this sysfs entry returns the size of packets captured available in a memory slot (4 bytes). An mmap on the same file descriptor using this size provides direct access (via pointer) to a full slot. This interface provides superior performance compared to the raw.cap interface.

Do you have any suggestions on how we can improve the content of this page?

Previous page Contexts Next page LVS and Synproxy
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences