Instances
An instance defines entry points (physical interfaces) in PacketShield and one or more applicable rule sets (context).
An instance is designated by a name.
Each instance owns its own session table and configuration.
Use sysfs entry
You manage instances using the sysfs entry /sys/packetshield/instances
.
Create an instance
Using the GUI
Use the statement instances
followed by the <instance name>
.
instances myinst
Using sysfs
Write +<instance name>
in the sysfs entry.
$ echo "+myinst" > /sys/packetshield/instances
Destroy an instance
Using the GUI
Remove the instances
line that creates it.
Using sysfs
Write -<instance name>
in the sysfs entry.
$ echo "-myinstance" > /sys/packetshield/instances
List a currently configured instance
This function is only available using the CLI.
Read the content of the file /sys/packetshield/instances.
$ cat /sys/packetshield/instances
myinst3
myinst2
myinst1
Set options
sysfs
Display and set options using respectively read / write operations on sysfs files present in the directory /sys/packetshield/<instance name>/<option>
.
$ echo 30 > /sys/packetshield/myinst/ack_session_timeout
$ echo 4 > /sys/packetshield/myinst/syn_session_timeout
GUI
Configure options using the following scheme: <instance name>/<option> followed by the desired parameter value.
myinst/ack_session_timeout 30
myinst/syn_session_timeout 4
The following options are available:
Option | Default | Description |
---|---|---|
| 60 s | When an ACK packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value |
| 10 s | When a SYN packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value |
| 60 s | When an RST packet arrives, the corresponding session is considered invalid if the elapsed time since the previous packet is greater than this value |
| 60 s | When a DNS response packet arrives, the corresponding session is considered invalid if the elapsed time since the corresponding DNS request is greater than this value |
| 60 s | When a UDP packet arrives, the corresponding session is considered invalid if the elapsed time since the corresponding UDP outgoing packet is greater than this value. |
| 10 s | When a QUIC handshake packet arrives, the corresponding session is considered invalid if the elapsed time since the previous incoming handshake packet or the last outgoing init packet is greater than this value. |
| 60 s | When a QUIC short header packet arrives, the corresponding session is considered invalid if the elapsed time since the previous incoming handshake packet or short header is greater than this value. |
Get instance statistics
This function is only available using CLI.
You can get an instance's statistics counters using the sysfs entry /sys/packetshield/<instance name>/stats.
$ cat /sys/packetshield/myinst/stats
rx_total : 56741
capmissed : 56502
tx_total : 11329
rx_total | total incoming packets on current instance |
tx_total | total outgoing packets on current instance (except packets generated by PacketShield like SYN cookies) |
capmissed | incoming packets not copied to debugging capture slots |
Debug instance
This function is only available using CLI.
PacketShield provides interfaces to retrieve all incoming packets captured on an instance.
This interfaces are available in the directory /sys/packetshield/<instance name>/
| This sysfs entry is directly readable and provides capture in pcap format. This interface provides limited performance because a sysfs read operation cannot return more that one page size (4096 bytes). Also, a read operation induces a memory copy of all packets captured.
|
| A read operation on this sysfs entry returns the size of packets captured available in a memory slot (4 bytes). An mmap on the same file descriptor using this size provides direct access (via pointer) to a full slot. This interface provides superior performance compared to the |
Next up
LVS and Synproxy