HAProxy ALOHA Documentation 11.5

Metrics

This feature is only available using the CLI.

Status and statistic counters are available through the sysfs entry /sys/packetshield/<instance name>/<context id>/stats.

$ cat /sys/packetshield/myinst/Other/stats
status     : 0x0000
rx_total   : 0
invalid    : 0
whitelisted: 0
filtered   : 0
out_related: 0
dns_resp   : 0
syn        : 0
rst        : 0
ack        : 0
unknown_ttl: 0
ttlfiltered: 0
established: 0
newconns   : 0
unmatched  : 0
syncookie  : 0
drop_syn   : 0
drop_rst   : 0
drop_ack   : 0
delivered  : 0
tx_total   : 0

status

current status of the context This value is a bitfield. It can be one or a combination of the different following values:

0x0000

no protection mode currently enabled

0x0001

syncookie protection mode currently enabled

0x0002

unknown ttl filter protection mode currently enabled

0x0004

unmatched drop protection mode currently enabled

0x0008

surge protection mode on delivered packets is enabled

The value 0x0005 means both syncookie and unmatched drop protections are enabled.

rx_total

counter of incoming packets on current context

invalid

counter of invalid (from a protocol point of view) incoming packets on current context

Possible reasons are:

  • spoofed source address (same source and dest)

  • bad checksums

  • UDP or TCP len greater that total IP len

  • SYN contains data without tcp fast open option.

  • RST contains data

  • Invalid TCP flags combination

whitelisted

counter of accepted incoming packets because they match one of the whitelist rule:

  • L4 protocol used is whitelisted

  • source address is whitelisted

  • TCP/UDP destination port is whitelisted

filtered

counter of dropped packets because of configured policy.

Possible reasons are:

  • blacklisted source IP

  • neither protected nor whitelisted TCP destination port and the packet is not related to a known session

  • UDP packet whose destination port is not whitelisted and the packet is not a response to a known DNS query

out_related

counter of accepted incoming TCP packets related to a known outbound session

dns_rsp

counter of accepted incoming UDP packets related to a known outbound DNS query

syn

counter of incoming TCP SYN packets

rst

counter of incoming TCP RST packets

ack

counter of incoming TCP ACK packets

unknown_ttl

counter of incoming packets with a suspect TTL

ttlfiltered

counter of dropped packets in order to validate TTLs

established

counter of accepted incoming TCP packets related to a known session

newconns

counter of incoming TCP SYN packets on protected TCP ports which are not TCP retransmit (new connections)

unmatched

counter of incoming TCP RST and ACK packets on protected ports and not related to a established session

syncookie

counter of successfully generated syncookies

drop_syn

counter of dropped SYN packets because generation of syncookie failed

drop_rst

counter of dropped incoming TCP RST packets on protected port because not related to a known session

drop_ack

counter of dropped incoming TCP ACK packets on protected port because not related to a known session

delivered

counter of packets delivered to system stack.

If surge protect mode is reached the counter presents the number of packets dropped instead of being delivered.

total_tx

counter of total outgoing packets (except generated ones)


Next up

Network Interfaces