Contributed by mbalmer on from the know-your-pf-rules dept.
Finally I had enough time to work on pftop to make a new release. It is available from the pftop homepage and already committed to the ports tree.
I had intended this one to be a bugfix release. In fact, I had such a release candidate running for a long time, waiting for me to pack it up and release it. The only 'feature' was to be the HFSC display on the queue page, contributed long time ago by Jared Spiegel.
However, I am using rulesets a lot in my pf configurations and the lack of ruleset display in pftop have always bothered me. At the last minute, I have decided to give it a try. In order to keep it simple, I have decided to recursively process the rulesets and ignore the anchor statements. Well, it worked better than I expected, I had to add an 'anchor' column next to rule number. While there, I made the anchor and label columns dynamically resize themselves. Wow.
Ok, time to release. After uploading the release tarball and updating the homepage, I have also updated the port and sent a diff to ports@ for review. It was a bit surprising to notice that it was almost 5:00 AM. When I woke up, I already had a couple of ok's for the port. So the port is committed and all is ready to go.
Have fun.
(Comments are closed)
By Anonymous Coward (81.57.42.108) on
By the way, why wasn't this tool accepted (whas it even proposed) for inclusion on the OpenBSD tree ? Are there hidden caveats ?
Comments
By Simon K. (84.57.68.59) on
By Anonymous Coward (65.198.20.164) on
I don't see why this isn't in OpenBSD base. It's a great program. Are there techical issues or any other reason as to why it's not in base?
Comments
By em (195.212.29.187) on
Comments
By Brad (216.138.195.228) brad at comstyle dot com on
Comments
By Anonymous Coward (142.166.105.158) on
By Can E. Acar (81.215.23.66) on
Whether pftop is in base or not is really not that important. It is a small package that you can add to your sistem in no time. Since pfctl provides all the status information that pftop shows, it can not be considered essential.
Technically, since pftop queries the kernel every couple of seconds, you might see some extra load or performance problems on busy firewalls (ie. lots and lots of states) when running pftop.
From the security point of view, since no set[ug]id bit is involved and all the input comes from the pf structures in kernel, it would be very very hard to use pftop for breaking into a system. On the other hand, leaving pftop running on a root console/terminal is probably a mistake :)
I try my best to code cleanly and carefully, but I am sure it still has some bugs and problems. The code is out there, so please check it out and let me know if you find any.
By Anonymous Coward (158.38.68.154) on
By ExY (85.100.18.3) on
Very useful for us to view realtime statistics of pf.
Great job.
By Matty (24.98.83.96) on http://daemons.net/~matty
Thanks,
- Ryan