PacketShield
Metrics
This feature is only available using the CLI.
Status and statistic counters are available through the sysfs entry /sys/packetshield/<instance name>/<context id>/stats
.
Available since
The following metrics are available since version 15.5:
- quic_init
- quic_0rtt
- quic_hshak
- quic_shrth
- quicretry
- drop_qnt
- drop_q0t
- drop_qhs
- drop_qsh
nix
cat /sys/packetshield/myinst/Other/stats
nix
cat /sys/packetshield/myinst/Other/stats
outputtext
status : 0x0000rx_total : 0invalid : 0whitelisted: 0filtered : 0out_related: 0dns_resp : 0udp_rsp : 0syn : 0rst : 0ack : 0unknown_ttl: 0ttlfiltered: 0established: 0newconns : 0unmatched : 0syncookie : 0drop_syn : 0drop_rst : 0drop_ack : 0delivered : 0tx_total : 0quic_init : 0quic_0rtt : 0quic_hshak : 0quic_shrth : 0quicretry : 0drop_qnt : 0drop_q0t : 0drop_qhs : 0drop_qsh : 0
outputtext
status : 0x0000rx_total : 0invalid : 0whitelisted: 0filtered : 0out_related: 0dns_resp : 0udp_rsp : 0syn : 0rst : 0ack : 0unknown_ttl: 0ttlfiltered: 0established: 0newconns : 0unmatched : 0syncookie : 0drop_syn : 0drop_rst : 0drop_ack : 0delivered : 0tx_total : 0quic_init : 0quic_0rtt : 0quic_hshak : 0quic_shrth : 0quicretry : 0drop_qnt : 0drop_q0t : 0drop_qhs : 0drop_qsh : 0
status Jump to heading
Current status of the context This value is a bitfield. It can be one or a combination of the different following values:
Value | Description |
---|---|
0x0000 |
no protection mode currently enabled |
0x0001 |
SYN cookie protection mode currently enabled |
0x0002 |
unknown TTL filter protection mode currently enabled |
0x0004 |
unmatched drop protection mode currently enabled |
0x0008 |
surge protection mode on delivered packets is enabled |
For example, the value 0x0005
means both SYN cookie and unmatched drop protections are enabled.
rx_total Jump to heading
Counter of incoming packets on current context.
invalid Jump to heading
Counter of invalid (from a protocol point of view) incoming packets on current context.
Possible reasons are:
- spoofed source address (same source and dest)
- bad checksums
- UDP or TCP len greater that total IP len
- SYN contains data without tcp fast open option
- RST contains data
- Invalid TCP flags combination
whitelisted Jump to heading
Counter of accepted incoming packets because they match one of the allowlist (whitelist) rules:
- L4 protocol used is allowlisted
- source address is allowlisted
- TCP/UDP destination port is allowlisted
filtered Jump to heading
Counter of dropped packets because of configured policy.
Possible reasons are:
- denylisted source IP
- neither protected nor allowlisted TCP destination port and the packet is not related to a known session
- UDP packet whose destination port is not allowlisted and the packet is not a response to a known DNS query
out_related Jump to heading
Counter of accepted incoming TCP packets related to a known outbound session.
dns_rsp Jump to heading
Counter of accepted incoming UDP packets related to a known outbound DNS query.
udp_rsp Jump to heading
Counter of accepted incoming UDP packets related to a known outbound UDP packet.
syn Jump to heading
Counter of incoming TCP SYN packets.
rst Jump to heading
Counter of incoming TCP RST packets.
ack Jump to heading
Counter of incoming TCP ACK packets.
unknown_ttl Jump to heading
Counter of incoming packets with a suspect TTL.
ttlfiltered Jump to heading
Counter of dropped packets in order to validate TTLs.
established Jump to heading
Counter of accepted incoming TCP packets related to a known session.
newconns Jump to heading
Counter of incoming TCP SYN packets on protected TCP ports which are not TCP retransmit (new connections) or incoming QUIC INIT/0-RTT packets which do not contain a token.
unmatched Jump to heading
Counter of incoming TCP RST and ACK packets or incoming QUIC handshake/short header packets on protected ports and not related to an established session.
syncookie Jump to heading
Counter of successfully generated SYN cookies.
drop_syn Jump to heading
Counter of dropped SYN packets because generation of SYN cookies failed.
drop_rst Jump to heading
Counter of dropped incoming TCP RST packets on protected port because not related to a known session.
drop_ack Jump to heading
Counter of dropped incoming TCP ACK packets on protected port because not related to a known session.
delivered Jump to heading
Counter of packets delivered to system stack.
If surge protect mode is reached the counter presents the number of packets dropped instead of being delivered.
total_tx Jump to heading
Counter of total outgoing packets (except generated ones).
quic_init Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
Counter of incoming datagrams starting with a QUIC INIT packet on UDP protected ports.
quic_0rtt Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
Counter of incoming datagrams starting with a QUIC 0-RTT packet on UDP protected ports.
quic_hshak Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
Counter of incoming datagrams starting with a QUIC handshake packet on UDP protected ports.
quic_shrth Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
Counter of incoming datagrams starting with a QUIC short header packet on UDP protected ports.
quicretry Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
Counter of successfully generated QUIC retry packets including a token.
drop_qnt Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
Counter of dropped datagrams starting with a QUIC INIT packet (for example, those dropped for containing an invalid token).
drop_q0t Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
Counter of dropped datagrams starting with a QUIC 0RTT packet (dropped if new_cook protection is toggled).
drop_qhs Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
Counter of dropped datagrams starting with a QUIC handshake packet (dropped because they are not part of an existing session and unmatch protection is enabled).
drop_qsh Jump to heading
Available since
- Available since HAProxy ALOHA 15.5
Counter of dropped datagrams starting with a QUIC short header packet (not part of an existing session and unmatch protection is enabled).
Do you have any suggestions on how we can improve the content of this page?