Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement pf, /dev/pf, pfstat, pfctl stats (Packet Filter) #2853

Open
zyxep opened this issue Nov 20, 2023 · 2 comments
Open

Implement pf, /dev/pf, pfstat, pfctl stats (Packet Filter) #2853

zyxep opened this issue Nov 20, 2023 · 2 comments

Comments

@zyxep
Copy link

zyxep commented Nov 20, 2023

Host operating system: output of uname -a

OPNsense 23.7.8_1-amd64
FreeBSD 13.2-RELEASE-p5

node_exporter version: output of node_exporter --version

# node_exporter --version
node_exporter, version  (branch: , revision: unknown)
  build user:
  build date:
  go version:       go1.20.8
  platform:         freebsd/amd64
  tags:             unknown

But version: 1.6.1

node_exporter command line flags

/usr/local/bin/node_exporter --web.listen-address=0.0.0.0:9100 --collector.textfile.directory=/var/tmp/node_exporter --collector.devstat

It would be really nice to have packet filter stats built into exporter, there exists a pf_exporter which could with some modification work under FreeBSD as well since it would require go-freebsd/pf

Telegraf already produce metrics for this but they "cheat" by executing pfstat & pfctl

these stats is especially nice for us who run a firewall on FreeBSD/OpenBSD.
@jpds
Copy link
Contributor

jpds commented Nov 23, 2023

pf_exporter already has a PR for FreeBSD support at: mischief/pf_exporter#5

iptables was rejected at #637 as it'd need too many privileges to be given to node_exporter.

@zyxep
Copy link
Author

zyxep commented Nov 24, 2023

i'm curious, why can't that PR at pf_exporter be ported into node_exporter ?

My use-case is that I have X amount of Opnsense machines and it's kinda a closed off regarding installing an app outside of their plugin manager (they do use bsd ports).
so having both node_exporter installed and configured with an exposed port + run pf_exporter with an exposed port makes it annoying when I need to scrape.
Because then I need X * Y in my job on Prometheus, each run by it's own so how would I know if the metrics is consistant when I visualize it in e.g. Grafana?

If i should run pf_exporter then i would fork the repo, merge that PR into my own and then convert it from http to just write the metrics into text files so that that the textfile collector will collect them, but then i need to run that program all the time as well.

another thing, it doesn't seem to be very much alive, so i would also see that as a positive thing to get into node_exporter.

Last thing, i agree about iptables with #637 makes no sense with those privileges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zyxep @jpds