OpenBSD Journal

[Ask OBSDJ] PF dynamic accounting

Contributed by Dengue on from the who-used-my-bandwidth dept.

David Delavennat writes : "Hi OpenBSD users, i am testing for some days a way to do some dynamic customer accounting with pf. I did not find a way to dynamically manage rules ala "pfctl -add $rule", then account that rule, then "pfctl -remove $rule". There are tables that permit to add entry dynamically but pass out on $ext from to label "$srcaddr:$dstaddr" have labels that remain to "any:any". Using "pfctl -sl -f /etc/pf.conf" permit to alter the rules set. Nevertheless pfctl switch statement reload the rules set, then show all labeled rules ie show only zeroed labeled rules.

Is there someone else that succed with or is interrested by such things?"

A quick google on my part turned up little on dynamic persistent per-(user|customer) accounting. The most promising is SASacct: . What are other ISP users doing to account customer use via pf?

(Comments are closed)

  1. By Anonymous Coward () on

    We're currently using a horible kludge that involves running three pflogd processes (one for each subnet), cycling the log files every 5 minutes, using tcpstat to pull usage for each user's ip from the old log files and then deleting the raw log files. This whole process is extremely inefficent and loses some data when the log files are cycled.

    There seems to be a complete lack of non-interactive utilities which do accounting based on ip and not based on interface. *Please* corrrect me (in great detail) if im incorrect... :)

    1. By David Delavennat () on

      Think it would be extremely more efficient and easy to extend the way pf tables work to have label dynamicaly added to the label-list. In fact i think you modify more frequently user acces than services provided, but that way is generic.
      here is a sample:
      table { $bankip }
      pass in from to label "$srcaddr:$dstaddr"
      When adding a customer "$newcustomer_ip" in the customers table, that would launch the label
      "$newcustomer_ip:$bankip" counters. Removing that ip from the table would permit to get the counters before removing the "label".

      /david aka Next

    2. By george () on http://localhost.

      You could find ipaudit of some assistance.

    3. By Anonymous Coward () on

      Gosh you're lamerz! Pcap is just that simple! It took me a hour to do a simple packet capture from scratch. Building such a nonsense as the above is making one's hairs move...

    4. By MoRpHinE () on

      I started work about a year ago on a Credit-based Accounting Firewall. The idea was to use IPF to selectively allow authenticated users through the firewall, logging their usage in real-time, and disconnecting them when they had used all their credit. To make things even more fun - I also wanted to support subnetwork based charge zones.

      Anyway, I had my design pretty much nutted out and some "slooow" alpha code (using the userland IPF packet authentication ioctl) when I put in a project proposal to my University. That day however, I also got hired by the national telco(!) so the project basically stopped in its tracks.

      Now I seem to be getting a little spare time, I want to get working on the idea again. As much as I loved IPF, it looks like PF is going to be more actively developed, hence I re-designing from the ground up.

      Has anyone had a play around with modifying the authpf shell? My initial thoughts, looking at the source, would be to extend it to somehow retrieve real-time packet info on the rules it creates so it could perform charging calculations.

      A kludgy way would be to incorporate a libpcap type processmonitor. Or maybe it might be worth adding accounting to table based authpf specified rules (rather than just on the interfaces)? Either way, if anyone has looked at doing this, drop me a line - I'm up for some brainstorming :)

  2. By Anonymous Coward () on for example makes some pretty good start on OpenBSD too.

  3. By not Sir Edmund () on

    This is a handy program that migh tdo what you want.
    I use it to track ip traffic to/from a set up subnets that are not local that I graph with mrtg. Takes a little shell scripting and cron to get what I want.

    but the general featur of the program is bytes per ip address for a certain time. Sounds like just what you need.

    No problems installing on OpenBSD 3.2, I use it on a port on a cisco switch that monitors the 10Meg link going to the internet.

    What I wish it had, or something else had was the same thing for tcp/udp port for a certain time. Then you could look and see who was running the forbidden p2p file sharing, no matter what port was in use.

    1. By David Delavennat () on

      In fact the problem is less to graph stats per-IP in a static environment than to easily manipulate single rule on the fly. a simple "pfctl -sl -vv;pfctl -f /etc/pf.conf;pfctl -sl -vv" let me get some stats (not exact counters values). What i am looking for right now is using something like authpf that could authenticate a user with radius+ldap, mount his rules, log his stats, then unload his rules. ie modify if needed the way that pf works to read access rules counters after unloading them and before destroying them in order to have exact rules counters values.

      /david aka Next

    2. By Dmitry Mikheev () on

      'm using OpenBSD host as routerbilling mashine in my
      condo lan for 2 years.
      Now i have bunch of scripts for simple traffic accounting, using IPFM as source. It doesn't use any RDBMS, has many limitations, such as one-ip-per-user, it's cron-nish, it has file blocking problems - but it's in heavy use in several lans nearby, so it seems to be usable and lightweight (486, 586 - Ok) pf-based solution.
      I was useing this on OBSD 3.0, now on 3.2 after hdd gone into pieces.
      I adopted it to use "pfctl -k" recently, but i don't use more advanced things.
      look at to catch idea, but i must say - it's quite ugly.

  4. By Thomas () on

    Personally I'm looking for a way to account how much bandwidth UID consumes. I have a far amount of shell users running their own processes, and it would be wonderful to be able to find out how much bandwidth each individual user consumes.

    Any suggestions would be deeply appreciated.

  5. By Matt () on

    What does Henning do? He runs an ISP and there are few who know PF as well as he does, so I imagine he has had to deal with this in the past.

    1. By Matt () on

      Found a post where Henning and Cedric give their wisdom:

      Here is another one I stumbled across that lists several options:

      Search misc, there are quite a few posts about this topic. I learned a few things in the few minutes it took me to read through the posts.

    2. By Matt () on

      Found a post where Henning and Cedric give their wisdom:

      Here is another one I stumbled across that lists several options:

      Search misc, there are quite a few posts about this topic. I learned a few things in the few minutes it took me to read through the posts.

    3. By Henning () on

      well, I just use one rule per "local" IP, i. e. from our subnet, and a label on that that is basically $srcaddr:$srcport:$dstaddr:$dstport. then I parse pfctl -sl -z output hourly and write that into an accounting database, including mapping to customers to be billed. end of month that is just aggregated and the billing magic begins.

Latest Articles


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]