2010-05-25 09:48:08 +02:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# OpenBSD's pf(4) monitoring for FreeBSD
|
|
|
|
# 2007, Gergely Czuczy <phoemix@harmless.hu>
|
|
|
|
#
|
|
|
|
# Needs to run as root.
|
|
|
|
# Add "user root" for the [pf] into plugins.conf.
|
|
|
|
#
|
|
|
|
# Options:
|
|
|
|
# - env.do_searches yes: to enable state table search monitoring`
|
|
|
|
#
|
|
|
|
# 0.1 - initial release:
|
|
|
|
# - state table usage
|
|
|
|
# - search rate
|
|
|
|
# - match rate
|
|
|
|
# - state mismatch rate
|
|
|
|
# - blocked packets
|
|
|
|
# - monitoring of labelled rules
|
|
|
|
#
|
|
|
|
# 0.2 - feature improvements:
|
|
|
|
# - Labelled rules for packet count
|
|
|
|
# - OpenBSD compatibility
|
|
|
|
# - Warning and critical on state table
|
|
|
|
#
|
|
|
|
# 0.3 - feature improvements:
|
|
|
|
# - Aggregate rules with the same label
|
|
|
|
#
|
|
|
|
# 0.4 - feature changes:
|
|
|
|
# - State searches are optional. it can shrink others.
|
|
|
|
# - Labelled targets are marked with a leading L
|
|
|
|
#
|
|
|
|
#
|
|
|
|
#%# family=auto
|
|
|
|
#%# capabilities=autoconf
|
2011-07-15 08:55:00 +02:00
|
|
|
PATH=/bin:/sbin:/usr/bin:/usr/sbin
|
|
|
|
export PATH
|
2010-05-25 09:48:08 +02:00
|
|
|
|
2011-07-15 08:55:00 +02:00
|
|
|
pfctl="/sbin/pfctl"
|
2010-05-25 09:48:08 +02:00
|
|
|
|
|
|
|
case $1 in
|
|
|
|
config)
|
2011-07-15 08:55:00 +02:00
|
|
|
echo "graph_title OpenBSD pf statistics"
|
|
|
|
echo "graph_vlabel Entries per second"
|
|
|
|
echo "graph_scale no"
|
|
|
|
echo "graph_category network"
|
|
|
|
echo "graph_args -l 0"
|
|
|
|
echo "graph_info OpenBSD's pf usage statistics"
|
|
|
|
echo "states.label States"
|
|
|
|
echo "states.type GAUGE"
|
|
|
|
${pfctl} -sm 2> /dev/null | awk '/states/ {print "states.warning "$4*0.9; print "states.critical "$4*0.95}'
|
|
|
|
if [ "x${do_searches}" = "xyes" ]; then
|
|
|
|
echo "searches.label Searches"
|
|
|
|
echo "searches.min 0"
|
|
|
|
echo "searches.type DERIVE"
|
|
|
|
fi
|
|
|
|
echo "matches.label Matches"
|
|
|
|
echo "matches.min 0"
|
|
|
|
echo "matches.type DERIVE"
|
|
|
|
echo "mismatches.label State mismatches"
|
|
|
|
echo "mismatches.min 0"
|
|
|
|
echo "mismatches.type DERIVE"
|
|
|
|
echo "blocks.label Blocked packets"
|
|
|
|
echo "blocks.type DERIVE"
|
|
|
|
echo "blocks.min 0"
|
|
|
|
${pfctl} -sl 2>/dev/null | awk '{
|
|
|
|
l="";
|
|
|
|
for (i=1; i<NF-2; i=i+1) l=l" "$i;
|
|
|
|
sub(/^ /, "", l);
|
|
|
|
f=l;
|
|
|
|
gsub(/[^a-z0-9A-Z]/, "_", f);
|
|
|
|
print f".label L: "l;
|
|
|
|
print f".type DERIVE"
|
|
|
|
print f".min 0"}'
|
|
|
|
exit 0
|
|
|
|
;;
|
2010-05-25 09:48:08 +02:00
|
|
|
|
|
|
|
autoconf)
|
|
|
|
ostype=`uname -s`
|
2011-07-15 08:55:00 +02:00
|
|
|
# NetBSD
|
|
|
|
if [ ${ostype} = "NetBSD" ]; then
|
|
|
|
# enabled?
|
|
|
|
if [ `${pfctl} -si 2>/dev/null | awk '/^Status:/{print $2}'` != "Enabled" ]; then
|
|
|
|
echo "no (pf(4) is not enabled, consult pfctl(8))"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
# FreeBSD
|
|
|
|
elif [ ${ostype} = "FreeBSD" ]; then
|
|
|
|
# enabled?
|
|
|
|
if [ `${pfctl} -si 2>/dev/null | awk '/^Status:/{print $2}'` != "Enabled" ]; then
|
|
|
|
echo "no (pf(4) is not enabled, consult pfctl(8))"
|
|
|
|
exit 1
|
|
|
|
fi
|
2010-05-25 09:48:08 +02:00
|
|
|
# OpenBSD
|
|
|
|
elif [ ${ostype} = "OpenBSD" ]; then
|
2011-07-15 08:55:00 +02:00
|
|
|
# pf(4) module loaded?
|
|
|
|
if [ `kldstat -v | grep pf | wc -l` -eq 0 ]; then
|
|
|
|
echo "no (pf(4) is not loaded)"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
# enabled?
|
|
|
|
if [ `${pfctl} -si 2>/dev/null | awk '/^Status:/{print $2}'` != "Enabled" ]; then
|
|
|
|
echo "no (pf(4) is not enabled, consult pfctl(8))"
|
|
|
|
exit 1
|
|
|
|
fi
|
2010-05-25 09:48:08 +02:00
|
|
|
# Other OSes
|
|
|
|
else
|
2011-07-15 08:55:00 +02:00
|
|
|
echo "no (this plugin is not supported on your OS)"
|
|
|
|
exit 1
|
2010-05-25 09:48:08 +02:00
|
|
|
fi
|
|
|
|
echo "yes"
|
|
|
|
exit 0
|
|
|
|
;;
|
2011-07-15 08:55:00 +02:00
|
|
|
|
2010-05-25 09:48:08 +02:00
|
|
|
suggest)
|
|
|
|
exit 0;
|
|
|
|
;;
|
2011-07-15 08:55:00 +02:00
|
|
|
|
2010-05-25 09:48:08 +02:00
|
|
|
esac
|
|
|
|
|
|
|
|
#
|
|
|
|
${pfctl} -si 2>/dev/null | awk '
|
2011-07-15 08:55:00 +02:00
|
|
|
/current entries/{print "states.value",$3}
|
|
|
|
/searches/{if ( "'${do_searches}'" == "yes" ) print "searches.value",$2}
|
|
|
|
$1~/^match$/{print "matches.value",$2}
|
|
|
|
/state-mismatch/{print "mismatches.value",$2}'
|
2010-05-25 09:48:08 +02:00
|
|
|
${pfctl} -vsr 2> /dev/null| grep -A 1 ^block | awk 'BEGIN {sum=0}/^[ \t]*\[/{sum=sum+$5} END {print "blocks.value",sum}'
|
|
|
|
|
|
|
|
# the labeled ones
|
2011-07-15 08:55:00 +02:00
|
|
|
${pfctl} -sl 2>/dev/null | awk '
|
|
|
|
BEGIN {
|
|
|
|
total=0
|
|
|
|
}
|
|
|
|
{
|
|
|
|
l="";
|
|
|
|
for (i=1; i<NF-2; i=i+1) l=l" "$i;
|
|
|
|
sub(/^ /, "", l);
|
|
|
|
f=l;
|
|
|
|
gsub(/[^a-z0-9A-Z]/, "_", f);
|
|
|
|
total=total+1;
|
|
|
|
fields[f]=fields[f]+$(NF-i+2);
|
|
|
|
}
|
|
|
|
END {
|
|
|
|
if ( total == 0 ) exit 0;
|
|
|
|
for ( k in fields ) print k".value "fields[k]
|
|
|
|
}'
|