From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bjgry6fGDz34Jh for ; Thu, 17 Jul 2025 18:08:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bjgrv336xz332k for ; Thu, 17 Jul 2025 18:08:15 +0000 (UTC) Received: from layka.disroot.org (layka.disroot.org [178.21.23.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4bjgrt2czdz83 for ; Thu, 17 Jul 2025 18:08:14 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=lXtImXBq; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1752775694; a=rsa-sha256; cv=none; b=e65nlnkpQcL39bPFtpXCNNTauKUCeZ+MXxe52JNfXm1GsUwuo75vSigbP5YwFO66EeGAUT bo05rzDzro/HQfmHAfCxaDuefCpUTLvDZm1Q5MS3w/njkYjq7PyeCWZIvfNSZbN/N7cUcl FKL/xHj3wGfP2+sD125WOAi6dR4sziDJH2RvRJ5+um4uAOLDMTzfuXuA/2zO5B6iyGdd6x jEsChODYah/K8tjKFdAMrmoq7ivSc6CUPwxE8rBRi7fv2WfrvXh9bs1aQ9OKnKQgAk6mGh teMpz9QDxUCc6Vrcz5E45CG5QABgCuXkFAvtoGeCO5Uf4cGvtRnjj2Az1BVlBQ== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=lXtImXBq; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1752775694; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=EGbFk6LCiSx2lReOFXE4bVZLmG0L4Z8S6L+1G+WyZpc=; b=MtAS3YmqFT+QNA9Pruqu3sJknkkvQZeiA1Y+OH3bjJYaO3Mp0hMsi47ge95a6Mqx1qD/YJ BB8Fnvee4ke4077an8iW3sWy2LpwG9+hK23AiOog1X5QvOVux8H0WT3aNBBnEfj6hjh6WY t/pXkSqamJ+SkgKe/cDsoJ6fl54s9XvuHCgJHFcOH0PqBvQSiCe1j70kkLIEXnySAixC0m jLJpvOZ86/8opZW8l06p4AOaEUsMdihH740feX3vQ93aYL1zqfLyanq5Lm/kLK43uh794D ScXLPJw512e/IPhZrvxPeq0jItMqeq13VRnRozO3yzWTp9r1yN9cwZTyVLtDCw== Received: from mail01.disroot.lan (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id AF4A922F7C for ; Thu, 17 Jul 2025 20:08:13 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 2gCWxTU5KZ1n for ; Thu, 17 Jul 2025 20:08:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1752775692; bh=+o8ThSInjN4/prsU9qqBXm9xvyUB89K6RcDakF9RdTU=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=lXtImXBq2zJLnl65j0Ngsr4gDaHa7gKD3KtAAK50zd1yUDob4qMFlEoTX87fMXNoL 8zfPj/gcCn9sQ0m5pv9Y/XiW2nvyvbbX/bLCg88P36pMNsGJ4V04LYFzOMPnFfD1yR fselP6ttjPbs0FXlZSyIz/DISvQB4zKzfgn8D6FPhUyG+TjCkzFgrEzZ3bqfQ3COSQ hFBWrq2hLxy6J9u6Uc+/lToDYqjDEWU41TW3SzM0jkloecD8nvkCysd0xlxsWmajBL MZ4vEI6spWLPO3zqBEcClNrbJ6bvZIYj6oEk6e5nzvfy+KMqZGkn4TkFSdARoPs9fY 6x1ZzsUUUvHOg== Received: from chojin.roevenslambrechts.be (chojin.roevenslambrechts.be [192.168.0.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 2873C39690E; Thu, 17 Jul 2025 20:08:09 +0200 (CEST) From: Robin Roevens To: development@lists.ipfire.org Cc: Robin Roevens Subject: [PATCH 2/6] zabbix_agentd: Add ARPing method for checking Internet Gateway Date: Thu, 17 Jul 2025 19:52:01 +0200 Message-ID: <20250717180805.5754-3-robin.roevens@disroot.org> In-Reply-To: <20250717180805.5754-1-robin.roevens@disroot.org> References: <20250717180805.5754-1-robin.roevens@disroot.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-RoevensLambrechts-MailScanner-ID: 2873C39690E.AD543 X-RoevensLambrechts-MailScanner: Found to be clean X-RoevensLambrechts-MailScanner-From: robin.roevens@disroot.org X-RoevensLambrechts-MailScanner-Watermark: 1753380490.49882@bJIMfKTdqgRzVIbquJM2Bg X-Spamd-Result: default: False [-5.35 / 11.00]; BAYES_HAM(-3.00)[99.99%]; R_DKIM_ALLOW(-1.70)[disroot.org:s=mail]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-0.98)[-0.976]; DKIM_REPUTATION(-0.97)[-0.97425615749869]; SPF_REPUTATION_SPAM(0.62)[0.20691067161651]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,reject]; R_MISSING_CHARSET(0.50)[]; R_SPF_ALLOW(-0.20)[+a]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.01)[asn: 50673(0.00), country: NL(-0.01), ip: 178.21.23.139(0.00)]; FUZZY_RATELIMITED(0.00)[rspamd.com]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; MISSING_XM_UA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; FROM_HAS_DN(0.00)[] X-Rspamd-Action: no action X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4bjgrt2czdz83 Since some ISP's block ICMP ping to their gateway ARPing can be an alternative. This change adds arping alternatives for the regular (icmp) ping checks: - ipfire.net.gateway.arping: Check if the Internet Gateway is reachable via ARPing - ipfire.net.gateway.arpingtime: Measure the time it takes to ARPing the Internet Gateway Signed-off-by: Robin Roevens --- config/rootfiles/packages/zabbix_agentd | 1 + config/zabbix_agentd/sudoers | 3 ++- config/zabbix_agentd/userparameter_gateway.conf | 12 ++++++++++++ config/zabbix_agentd/userparameter_ipfire.conf | 4 ---- lfs/zabbix_agentd | 2 ++ 5 files changed, 17 insertions(+), 5 deletions(-) create mode 100644 config/zabbix_agentd/userparameter_gateway.conf diff --git a/config/rootfiles/packages/zabbix_agentd b/config/rootfiles/packages/zabbix_agentd index ffa66f307..cc75a49bd 100644 --- a/config/rootfiles/packages/zabbix_agentd +++ b/config/rootfiles/packages/zabbix_agentd @@ -21,6 +21,7 @@ var/ipfire/zabbix_agentd/userparameters var/ipfire/zabbix_agentd/userparameters/userparameter_pakfire.conf var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf +var/ipfire/zabbix_agentd/userparameters/userparameter_gateway.conf var/ipfire/zabbix_agentd/scripts var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh var/ipfire/zabbix_agentd/scripts/ipfire_services.pl diff --git a/config/zabbix_agentd/sudoers b/config/zabbix_agentd/sudoers index 78e175980..921e20c89 100644 --- a/config/zabbix_agentd/sudoers +++ b/config/zabbix_agentd/sudoers @@ -8,6 +8,7 @@ # To add more sudo rights to zabbix agent, you should modify the sudoers file zabbix_agentd_user # Defaults:zabbix !requiretty -zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/local/bin/getipstat, /bin/cat /var/run/ovpnserver.log +zabbix ALL=(ALL) NOPASSWD: /opt/pakfire/pakfire status, /usr/sbin/fping, /usr/sbin/arping, /usr/local/bin/getipstat +zabbix ALL=(ALL) NOPASSWD: /bin/cat /var/run/ovpnserver.log zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_certificate_detail.sh zabbix ALL=(ALL) NOPASSWD: /var/ipfire/zabbix_agentd/scripts/ipfire_services.pl diff --git a/config/zabbix_agentd/userparameter_gateway.conf b/config/zabbix_agentd/userparameter_gateway.conf new file mode 100644 index 000000000..cfae001ae --- /dev/null +++ b/config/zabbix_agentd/userparameter_gateway.conf @@ -0,0 +1,12 @@ +# Parameters to monitor Internet gateway connectivity +# +# ICMP Ping +# Internet Gateway ping timings, can be used to measure "Internet Line Quality" +UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 +# Internet Gateway availability, can be used to check Internet connection +UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? == 0 ]; echo $? +# ARP Ping +# Internet Gateway ping timings, can be used to measure "Internet Line Quality" when ICMP ping is not available +UserParameter=ipfire.net.gateway.arpingtime,sudo /usr/sbin/arping -i red0 -c 3 gateway | awk 'match($0, /time=([0-9\.]+) (\w+)$/, arr) { n++; if (arr[2] == "usec") { arr[1]/=1000; }; sum+=arr[1] } END { print sum / n }' +# Internet Gateway availability, can be used to check Internet connection when ICMP ping is not available +UserParameter=ipfire.net.gateway.arping,sudo /usr/sbin/arping -q -c 3 gateway; [ ! $? == 0 ]; echo $? diff --git a/config/zabbix_agentd/userparameter_ipfire.conf b/config/zabbix_agentd/userparameter_ipfire.conf index c8ead1608..e88c20298 100644 --- a/config/zabbix_agentd/userparameter_ipfire.conf +++ b/config/zabbix_agentd/userparameter_ipfire.conf @@ -1,9 +1,5 @@ # Parameters for monitoring IPFire specific metrics # -# Internet Gateway ping timings, can be used to measure "Internet Line Quality" -UserParameter=ipfire.net.gateway.pingtime,sudo /usr/sbin/fping -c 3 gateway 2>&1 | tail -n 1 | awk '{print $NF}' | cut -d '/' -f2 -# Internet Gateway availability, can be used to check Internet connection -UserParameter=ipfire.net.gateway.ping,sudo /usr/sbin/fping -q -r 3 gateway; [ ! $? == 0 ]; echo $? # Firewall Filter Forward chain drops in bytes/chain (JSON), can be used for discovery of firewall chains and monitoring of firewall hits on each chain UserParameter=ipfire.net.fw.hits.raw,sudo /usr/local/bin/getipstat -xf | grep "/\* DROP_.* \*/$" | awk 'BEGIN { ORS = ""; print "["} { printf "%s{\"chain\": \"%s\", \"bytes\": \"%s\"}", separator, substr($11, 6), $2; separator = ", "; } END { print"]" }' # Number of currently Active DHCP leases diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index c2b8533b4..ebd184628 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -112,6 +112,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /var/ipfire/zabbix_agentd/userparameters/userparameter_ipfire.conf install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_ovpn.conf \ /var/ipfire/zabbix_agentd/userparameters/userparameter_ovpn.conf + install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/userparameter_gateway.conf \ + /var/ipfire/zabbix_agentd/userparameters/userparameter_gateway.conf # Install IPFire-specific Zabbix Agent scripts -mkdir -pv /var/ipfire/zabbix_agentd/scripts -- 2.50.1 -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.