IPA_IP6FW(8) IPA_IP6FW(8)
NAME
ipa_ip6fw -- IPA accounting module for FreeBSD IPv6 Firewall
DESCRIPTION
ipa_ip6fw is an IPA accounting module with the following features:
- The module is designed for traffic accounting from FreeBSD IPv6
Firewall rules byte counters;
- The module understands IPv6 Firewall rules byte counters over-
flow;
- It is possible to summarize and subtract statistics of IPv6
Firewall rules byte counters;
- It is possible to distinguish IPv6 Firewall rules with the same
numbers;
- IPv6 Firewall rules can be dynamically added to and deleted from
the system, the module correctly works in such situations.
Before reading the next paragraph you should read documentation for
IPv6 Firewall for information how to setup IPv6 Firewall rules for
traffic accounting.
The name of the accounting system is ip6fw.
CONFIGURATION FILE FORMAT
Configuration for the module is integrated into ipa.conf(5). The con-
figuration prefix of this module is ``ip6fw''.
To get traffic statistics of some IPv6 Firewall rule use the
ip6fw:rules parameter:
ip6fw:rules = [-]number[.subnumber];
This parameter should be placed in the rule section.
There is only one rule number in the original format of IPv6 Firewall
rule. Extra subnumber can be added to distinguish rules with the same
number, first rule with some number has a subnumber equal to 0, second
rule with the same number has a subnumber equal to 1 and so on. If a
subnumber is omitted, then it is treated as 0. A subnumber in IPv6
Firewall rule is something new and is not mentioned in the ip6fw(8)
manual page.
The `-' sign can be placed before IPv6 Firewall rule number, in this
case the module will subtract statistics of this rule.
Several IPv6 Firewall rules, separated by spaces, can be used in the
ip6fw:rules parameter and their statistics will be added or subtracted
according to signs before rules' numbers.
The ip6fw:maxchunk parameter allows to safely flush IPv6 Firewall rules
or delete and add the same rules when ipa(8) is running:
ip6fw:maxchunk = <bytes>;
This parameter should be used in global and rule sections.
If the old value of a byte counter is greater than the current value of
some IPv6 Firewall rule and if the difference (including overflow)
between them is greater than the ip6fw:maxchunk parameter's value, then
the module takes absolute value of the byte counter as the current
chunk of statistics for this rule.
Too small value of the ip6fw:maxchunk parameter can lead to wrong
results. Its value should be greater than difference of byte counters
of any IPv6 Firewall rule used in a ipa.conf(5)'s rule during update
time interval.
It will be better to check some variables of IPv6 Firewall kernel
structures and determine whether some IPv6 Firewall rule has been
changed. But there are no such variables in IPv6 Firewall kernel
structures (at the moment when this manual page was being written), so
it is necessary to use the ip6fw:maxchunk parameter.
The module always sends log messages when some IPv6 Firewall rule over-
flowed or probably was changed (this is checked with the help of the
ip6fw:maxchunk parameter) and when some IPv6 Firewall rule is added to
or deleted from the IPv6 Firewall kernel table. It is possible to sup-
press these warning messages using the ip6fw:quiet parameter:
ip6fw:quiet = <value>;
This parameter can be placed in global and rule sections.
The default value of this parameter is equal to zero, this means that
all warning messages are sent to the log. If its value has 0x1 bit on,
then no log message is sent when a byte counter of some IPv6 Firewall
rule overflows. If its value has 0x2 bit on, then no log message is
sent when some IPv6 Firewall rule is added or deleted.
The ip6fw:debug parameter helps to debug the module:
ip6fw:debug = <level>;
This parameter should not be placed in any section.
Only two values are allowed for the debug level: 0 and 1. The default
value of this parameter is 0, and debugging is disabled.
Example:
ac_mod "ipa_ip6fw.so";
global {
/* ... */
ac_list = ip6fw;
ip6fw:quiet = 3;
ip6fw:maxchunk = 1G;
}
rule 1 {
/* ... */
ip6fw:rules = 100 200.1 300;
}
rule 2 {
/* ... */
ip6fw:rules = 100 -200 300.0 300.1;
ip6fw:maxchunk = 500M;
}
The first rule inherits the ip6fw:maxchunk parameter from the global
section, both rules inherit the ip6fw:quiet parameter from the global
section.
SEE ALSO
ip6fw(8)
COMPATIBILITY
IPv6 Firewall first appeared in FreeBSD 4.0-RELEASE and it was removed
from FreeBSD 7.0 (>= 700017). This module should work on any version
of FreeBSD that has IPv6 Firewall.
AUTHOR
Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
BUGS
If you use FreeBSD system prior to 4.2-RELEASE, then ipa_ip6fw module
will work if you have no more than 1024 rules in IPv6 Firewall table,
on such systems ip6fw(8) also is not able to output whole IPv6 Firewall
rules table if it has more than 1024 rules.
Due to not perfect interface between userland and IPv6 Firewall part of
the kernel, ipa_ip6fw module will not work correctly if IPv6 Firewall
is not enabled in the kernel.
If you install new FreeBSD kernel with new IPv6 Firewall API, then it
is necessary to rebuild this module.
If you find any bug, please send email me.
January 4, 2008 IPA_IP6FW(8)