HAProxy ALOHA Documentation 15.5

Metrics

This feature is only available using the CLI.

Status and statistic counters are available through the sysfs entry /sys/packetshield/<instance name>/<context id>/stats.

$ cat /sys/packetshield/myinst/Other/stats
status     : 0x0000
rx_total   : 0
invalid    : 0
whitelisted: 0
filtered   : 0
out_related: 0
dns_resp   : 0
udp_rsp    : 0
syn        : 0
rst        : 0
ack        : 0
unknown_ttl: 0
ttlfiltered: 0
established: 0
newconns   : 0
unmatched  : 0
syncookie  : 0
drop_syn   : 0
drop_rst   : 0
drop_ack   : 0
delivered  : 0
tx_total   : 0
quic_init  : 0
quic_0rtt  : 0
quic_hshak : 0
quic_shrth : 0
quicretry  : 0
drop_qnt   : 0
drop_q0t   : 0
drop_qhs   : 0
drop_qsh   : 0

status

current status of the context This value is a bitfield. It can be one or a combination of the different following values:

0x0000

no protection mode currently enabled

0x0001

SYN cookie protection mode currently enabled

0x0002

unknown TTL filter protection mode currently enabled

0x0004

unmatched drop protection mode currently enabled

0x0008

surge protection mode on delivered packets is enabled

The value 0x0005 means both SYN cookie and unmatched drop protections are enabled.

rx_total

counter of incoming packets on current context

invalid

counter of invalid (from a protocol point of view) incoming packets on current context

Possible reasons are:

  • spoofed source address (same source and dest)

  • bad checksums

  • UDP or TCP len greater that total IP len

  • SYN contains data without tcp fast open option.

  • RST contains data

  • Invalid TCP flags combination

whitelisted

counter of accepted incoming packets because they match one of the allowlist (whitelist) rules:

  • L4 protocol used is allowlisted

  • source address is allowlisted

  • TCP/UDP destination port is allowlisted

filtered

counter of dropped packets because of configured policy

Possible reasons are:

  • denylisted source IP

  • neither protected nor allowlisted TCP destination port and the packet is not related to a known session

  • UDP packet whose destination port is not allowlisted and the packet is not a response to a known DNS query

out_related

counter of accepted incoming TCP packets related to a known outbound session

dns_rsp

counter of accepted incoming UDP packets related to a known outbound DNS query

udp_rsp

counter of accepted incoming UDP packets related to a known outbound UDP packet

syn

counter of incoming TCP SYN packets

rst

counter of incoming TCP RST packets

ack

counter of incoming TCP ACK packets

unknown_ttl

counter of incoming packets with a suspect TTL

ttlfiltered

counter of dropped packets in order to validate TTLs

established

counter of accepted incoming TCP packets related to a known session

newconns

counter of incoming TCP SYN packets on protected TCP ports which are not TCP retransmit (new connections) or incoming QUIC INIT/0-RTT packets which do not contain a token

unmatched

counter of incoming TCP RST and ACK packets or incoming QUIC handshake/short header packets on protected ports and not related to an established session

syncookie

counter of successfully generated SYN cookies

drop_syn

counter of dropped SYN packets because generation of SYN cookies failed

drop_rst

counter of dropped incoming TCP RST packets on protected port because not related to a known session

drop_ack

counter of dropped incoming TCP ACK packets on protected port because not related to a known session

delivered

counter of packets delivered to system stack.

If surge protect mode is reached the counter presents the number of packets dropped instead of being delivered.

total_tx

counter of total outgoing packets (except generated ones)

quic_init

Counter of incoming datagrams starting with a QUIC INIT packet on UDP protected ports.

quic_0rtt

Counter of incoming datagrams starting with a QUIC 0-RTT packet on UDP protected ports.

quic_hshak

Counter of incoming datagrams starting with a QUIC handshake packet on UDP protected ports.

quic_shrth

Counter of incoming datagrams starting with a QUIC short header packet on UDP protected ports.

quicretry

Counter of successfully generated QUIC retry packets including a token.

drop_qnt

Counter of dropped datagrams starting with a QUIC INIT packet (for example, those dropped for containing an invalid token).

drop_q0t

Counter of dropped datagrams starting with a QUIC 0RTT packet (dropped if new_cook protection is toggled).

drop_qhs

Counter of dropped datagrams starting with a QUIC handshake packet (dropped because they are not part of an existing session and unmatch protection is enabled).

drop_qsh

Counter of dropped datagrams starting with a QUIC short header packet (not part of an existing session and unmatch protection is enabled).


Next up

Network Interfaces