Munin contributed plugins

#!/bin/sh

#

# OpenBSD's pf(4) monitoring for FreeBSD

# 2007, Gergely Czuczy <phoemix@harmless.hu>

#

# Needs to run as root.

# Add "user root" for the [pf] into plugins.conf.

#

# Options:

#  - env.do_searches yes: to enable state table search monitoring`

#

# 0.1 - initial release:

# - state table usage

# - search rate

# - match rate

# - state mismatch rate

# - blocked packets

# - monitoring of labelled rules

#

# 0.2 - feature improvements:

#  - Labelled rules for packet count

#  - OpenBSD compatibility

#  - Warning and critical on state table

#

# 0.3 - feature improvements:

#  - Aggregate rules with the same label

#

# 0.4 - feature changes:

#  - State searches are optional. it can shrink others.

#  - Labelled targets are marked with a leading L

#

#

#%# family=auto

#%# capabilities=autoconf

pfctl='/sbin/pfctl'

case $1 in

    config)

    cat <<EOF

graph_title OpenBSD pf statistics

graph_vlabel Entries per second

graph_scale no

graph_category network

graph_args -l 0

graph_info OpenBSD's pf usage statistics

states.label States

states.type GAUGE

EOF

${pfctl} -sm 2> /dev/null | awk '

/states/ {print "states.warning "$4*0.9; print "states.critical "$4*0.95}

'

if [ "x${do_searches}" = "xyes" ]; then

    cat <<EOF

searches.label Searches

searches.min 0

searches.type DERIVE

EOF

fi

    cat <<EOF

matches.label Matches

matches.min 0

matches.type DERIVE

mismatches.label State mismatches

mismatches.min 0

mismatches.type DERIVE

blocks.label Blocked packets

blocks.type DERIVE

blocks.min 0

EOF

pfctl -sl | awk '

{

 l="";

 for (i=1; i<NF-2; i=i+1) l=l" "$i;

 sub(/^ /, "", l);

 f=l;

 gsub(/[^a-z0-9A-Z]/, "_", f);

 print f".label L: "l;

 print f".type DERIVE"

 print f".min 0"}'

    exit 0

    ;;

    autoconf)

	# FreeBSD

	ostype=`uname -s`

	if [ ${ostype} = "FreeBSD" ]; then

	    # enabled?

	    if [ `pfctl -si 2>/dev/null | awk '/^Status:/{print $2}'` != "Enabled" ]; then

		echo "no (pf(4) is not enabled, consult pfctl(8)"

		exit 1

	    fi

	# OpenBSD

	elif [ ${ostype} = "OpenBSD" ]; then

	    # pf(4) module loaded?

	    if [ `kldstat -v | grep pf | wc -l` -eq 0 ]; then

		echo "no (pf(4) is not loaded)"

		exit 1

	    fi

            # enabled?

	    if [ `pfctl -si 2>/dev/null | awk '/^Status:/{print $2}'` != "Enabled" ]; then

		echo "no (pf(4) is not enabled, consult pfctl(8)"

		exit 1

	    fi

	# Other OSes

	else

	    echo "no (this plugin is not supported on your OS)"

	    exit 1

	fi

	echo "yes"

	exit 0

	;;

    suggest)

	exit 0;

	;;

esac

#

${pfctl} -si 2>/dev/null | awk '

/current entries/{print "states.value",$3}

/searches/{if ( "'${do_searches}'" == "yes" ) print "searches.value",$2}

$1~/^match$/{print "matches.value",$2}

/state-mismatch/{print "mismatches.value",$2}'

${pfctl} -vsr 2> /dev/null| grep -A 1 ^block | awk 'BEGIN {sum=0}/^[ \t]*\[/{sum=sum+$5} END {print "blocks.value",sum}'

# the labeled ones

pfctl -sl | awk '

BEGIN {

 total=0

}

{

 l="";

 for (i=1; i<NF-2; i=i+1) l=l" "$i;

 sub(/^ /, "", l);

 f=l;

 gsub(/[^a-z0-9A-Z]/, "_", f);

 total=total+1;

 fields[f]=fields[f]+$(NF-i+2);

}

END {

 if ( total == 0 ) exit 0;

 for ( k in fields ) print k".value "fields[k]

}'