HAProxy ALOHA Documentation 12.5

Metrics

This feature is only available using the CLI.

Status and statistic counters are available through the sysfs entry /sys/packetshield/<instance name>/<context id>/stats.

$ cat /sys/packetshield/myinst/Other/stats
status     : 0x0000
rx_total   : 0
invalid    : 0
whitelisted: 0
filtered   : 0
out_related: 0
dns_resp   : 0
syn        : 0
rst        : 0
ack        : 0
unknown_ttl: 0
ttlfiltered: 0
established: 0
newconns   : 0
unmatched  : 0
syncookie  : 0
drop_syn   : 0
drop_rst   : 0
drop_ack   : 0
delivered  : 0
tx_total   : 0

status

current status of the context This value is a bitfield. It can be one or a combination of the different following values:

0x0000

no protection mode currently enabled

0x0001

SYN cookie protection mode currently enabled

0x0002

unknown TTL filter protection mode currently enabled

0x0004

unmatched drop protection mode currently enabled

0x0008

surge protection mode on delivered packets is enabled

The value 0x0005 means both SYN cookie and unmatched drop protections are enabled.

rx_total

counter of incoming packets on current context

invalid

counter of invalid (from a protocol point of view) incoming packets on current context

Possible reasons are:

  • spoofed source address (same source and dest)

  • bad checksums

  • UDP or TCP len greater that total IP len

  • SYN contains data without tcp fast open option.

  • RST contains data

  • Invalid TCP flags combination

whitelisted

counter of accepted incoming packets because they match one of the allowlist (whitelist) rules:

  • L4 protocol used is allowlisted

  • source address is allowlisted

  • TCP/UDP destination port is allowlisted

filtered

counter of dropped packets because of configured policy

Possible reasons are:

  • denylisted source IP

  • neither protected nor allowlisted TCP destination port and the packet is not related to a known session

  • UDP packet whose destination port is not allowlisted and the packet is not a response to a known DNS query

out_related

counter of accepted incoming TCP packets related to a known outbound session

dns_rsp

counter of accepted incoming UDP packets related to a known outbound DNS query

syn

counter of incoming TCP SYN packets

rst

counter of incoming TCP RST packets

ack

counter of incoming TCP ACK packets

unknown_ttl

counter of incoming packets with a suspect TTL

ttlfiltered

counter of dropped packets in order to validate TTLs

established

counter of accepted incoming TCP packets related to a known session

newconns

counter of incoming TCP SYN packets on protected TCP ports which are not TCP retransmit (new connections)

unmatched

counter of incoming TCP RST and ACK packets on protected ports and not related to an established session

syncookie

counter of successfully generated SYN cookies

drop_syn

counter of dropped SYN packets because generation of SYN cookies failed

drop_rst

counter of dropped incoming TCP RST packets on protected port because not related to a known session

drop_ack

counter of dropped incoming TCP ACK packets on protected port because not related to a known session

delivered

counter of packets delivered to system stack.

If surge protect mode is reached the counter presents the number of packets dropped instead of being delivered.

total_tx

counter of total outgoing packets (except generated ones)


Next up

Network Interfaces