PacketShield
Instances
An instance defines entry points (physical interfaces) in PacketShield and one or more applicable rule sets (context).
-
An instance is designated by a name.
-
Each instance owns its own session table and configuration.
Caution
The keywords instances and version are reserved and cannot be used as an instance name.
Info
After making changes using the GUI, make the changes persist after a reboot by going to the Setup tab and clicking Save within the Configuration section. After making changes using the CLI, execute config save to persist the changes.
Use sysfs entry Jump to heading
You manage instances using the sysfs entry /sys/packetshield/instances.
Create an instance Jump to heading
Using the GUI Jump to heading
Use the statement instances followed by the <instance name>.
text
text
Using sysfs Jump to heading
Write +<instance name> in the sysfs entry.
nix
nix
Destroy an instance Jump to heading
Caution
When you destroy an instance, you also destroy all its configuration, contexts, and statistics and detach all attached network interfaces.
Using the GUI Jump to heading
Remove the instances line that creates it.
Using sysfs Jump to heading
Write -<instance name> in the sysfs entry.
text
text
List a currently configured instance Jump to heading
This function is only available using the CLI.
Read the content of the file /sys/packetshield/instances.
nix
nix
outputtext
outputtext
Set options Jump to heading
sysfs Jump to heading
Display and set options using respectively read / write operations on sysfs files present in the directory /sys/packetshield/<instance name>/<option>.
nix
nix
GUI Jump to heading
Configure options using the following scheme:
text
text
The following options are available:
| Option | Default | Description |
|---|---|---|
ack_session_timeout |
60s | When an ACK packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value. |
syn_session_timeout |
10s | When a SYN packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value. |
rst_session_timeout |
60s | When an RST packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value. |
dns_session_timeout |
60s | When a DNS response packet arrives, the corresponding session is considered invalid if the elapsed time since the corresponding DNS request is greater than this value. |
udp_session_timeout |
60s | When a UDP packet arrives, the corresponding session is considered invalid if the elapsed time since the corresponding UDP outgoing packet is greater than this value. |
qhs_session_timeout |
10s | Available since version 15.5. When a QUIC handshake packet arrives, the corresponding session is considered invalid if the elapsed time since the previous incoming handshake packet or the last outgoing init packet is greater than this value. |
qsh_session_timeout |
60s | Available since version 15.5. When a QUIC short header packet arrives, the corresponding session is considered invalid if the elapsed time since the previous incoming handshake packet or short header is greater than this value. |
Get instance statistics Jump to heading
This function is only available using CLI.
You can get an instance's statistics counters using the sysfs entry /sys/packetshield/<instance name>/stats.
nix
nix
outputtext
outputtext
| Statistic | Description |
|---|---|
| rx_total | total incoming packets on current instance |
| tx_total | total outgoing packets on current instance (except packets generated by PacketShield like SYN cookies) |
| capmissed | incoming packets not copied to debugging capture slots |
Info
During a capture dump, if the capmissed statistic continues to rise, it means that the capture reader does not read fast enough nd some packets are not captured because the slots are full.
Debug instance Jump to heading
This function is only available using CLI.
PacketShield provides interfaces to retrieve all incoming packets captured on an instance.
This interfaces are available in the directory /sys/packetshield/<instance name>/.
Info
PacketShield uses a limited number of recycled memory slots to capture packets. If the reader is not fast enough, all slots are used and some packets will not be captured.
Interfaces:
raw.cap- This sysfs entry is directly readable and provides capture in pcap format. This interface provides limited performance because a sysfs read operation cannot return more that one page size (4096 bytes). Also, a read operation induces a memory copy of all packets captured.
- Example:nixtcpdump -r /sys/packetshield/myinst/raw.capnixtcpdump -r /sys/packetshield/myinst/raw.capoutputtextreading from file raw.cap, link-type EN10MB (Ethernet)outputtextreading from file raw.cap, link-type EN10MB (Ethernet)
capture.map- A read operation on this sysfs entry returns the size of packets captured available in a memory slot (4 bytes). An mmap on the same file descriptor using this size provides direct access (via pointer) to a full slot. This interface provides superior performance compared to the
raw.capinterface.
- A read operation on this sysfs entry returns the size of packets captured available in a memory slot (4 bytes). An mmap on the same file descriptor using this size provides direct access (via pointer) to a full slot. This interface provides superior performance compared to the
Do you have any suggestions on how we can improve the content of this page?
