mrverrall/pf_active_clients

## pf_active_clients
#!/bin/bash

: << =cut

=head1 NAME

Packetfence Clients

=head1 AUTHOR

Contributed by Paul Verrall

=head1 LICENSE

GPLv2

=cut

if [ -x  $MUNIN_LIBDIR/plugins/plugin.sh ]
then
. $MUNIN_LIBDIR/plugins/plugin.sh
fi

if [ "$1" = "autoconf" ]; then
        echo no
        exit 0
fi

if [ "$1" = "config" ]; then

        echo "graph_title packetfence active clients"
        echo 'graph_vlabel clients'
        echo 'graph_args --base 1000 --lower-limit 0'
        echo "graph_category Packetfence"

        PF_IPSETS=$(ipset list -n | fgrep pfsession_Reg_)

        for ipset in $PF_IPSETS
        do
            snet=${ipset##pfsession_Reg_}
            echo "$snet""_active.label $snet""_active"
            echo "$snet.draw AREA"
        done

        exit 0
fi

PF_IPSETS=$(ipset list -n | fgrep pfsession_Reg_)
TCP_TIMEOUT=$(sysctl -n net.netfilter.nf_conntrack_tcp_timeout_established)
ACTIVE_AGE=600
ACTIVE_MIN_AGE=$(( $TCP_TIMEOUT - $ACTIVE_AGE ))

LOCAL_IPS=$(mktemp)
IPSET_CLIENT_IPS=$(mktemp)

# Pop local IPs in a file for easy filtering with grep
for ip in $(hostname -I)
do
    echo "$ip" >> "$LOCAL_IPS"
done

for ipset in $PF_IPSETS;
do
    # output list of set client ips for this set to file for easy greppage
    ipset list "$ipset"  | awk -F , '/^[0-9]/ {print $1}' > "$IPSET_CLIENT_IPS"
    if [ -s "$IPSET_CLIENT_IPS" ]
    then
        echo -n "${ipset##pfsession_Reg_}_active.value "

        # list of assured established tcp connections
        # | remove local sorces and destinations
        # | remove aged connections i.e only those active within $ACTIVE_AGE seconds
        # | include only pf clients in this ipset
        # | sort | unique | count remaining lines

        conntrack -L -u assured -p tcp --state ESTABLISHED 2>/dev/null \
            | fgrep -v -f "$LOCAL_IPS" \
            | awk -v t="$ACTIVE_MIN_AGE" '$3 > t {print $0}' \
            | fgrep -o -f "$IPSET_CLIENT_IPS" \
            | sort | uniq | wc -l
     fi
done

rm $LOCAL_IPS $IPSET_CLIENT_IPS
exit 0
	#!/bin/bash

	: << =cut

	=head1 NAME

	Packetfence Clients

	=head1 AUTHOR

	Contributed by Paul Verrall

	=head1 LICENSE

	GPLv2

	=cut

	if [ -x $MUNIN_LIBDIR/plugins/plugin.sh ]
	then
	. $MUNIN_LIBDIR/plugins/plugin.sh
	fi

	if [ "$1" = "autoconf" ]; then
	echo no
	exit 0
	fi

	if [ "$1" = "config" ]; then

	echo "graph_title packetfence active clients"
	echo 'graph_vlabel clients'
	echo 'graph_args --base 1000 --lower-limit 0'
	echo "graph_category Packetfence"

	PF_IPSETS=$(ipset list -n \| fgrep pfsession_Reg_)

	for ipset in $PF_IPSETS
	do
	snet=${ipset##pfsession_Reg_}
	echo "$snet""_active.label $snet""_active"
	echo "$snet.draw AREA"
	done

	exit 0
	fi

	PF_IPSETS=$(ipset list -n \| fgrep pfsession_Reg_)
	TCP_TIMEOUT=$(sysctl -n net.netfilter.nf_conntrack_tcp_timeout_established)
	ACTIVE_AGE=600
	ACTIVE_MIN_AGE=$(( $TCP_TIMEOUT - $ACTIVE_AGE ))

	LOCAL_IPS=$(mktemp)
	IPSET_CLIENT_IPS=$(mktemp)

	# Pop local IPs in a file for easy filtering with grep
	for ip in $(hostname -I)
	do
	echo "$ip" >> "$LOCAL_IPS"
	done

	for ipset in $PF_IPSETS;
	do
	# output list of set client ips for this set to file for easy greppage
	ipset list "$ipset" \| awk -F , '/^[0-9]/ {print $1}' > "$IPSET_CLIENT_IPS"
	if [ -s "$IPSET_CLIENT_IPS" ]
	then
	echo -n "${ipset##pfsession_Reg_}_active.value "

	# list of assured established tcp connections
	# \| remove local sorces and destinations
	# \| remove aged connections i.e only those active within $ACTIVE_AGE seconds
	# \| include only pf clients in this ipset
	# \| sort \| unique \| count remaining lines

	conntrack -L -u assured -p tcp --state ESTABLISHED 2>/dev/null \
	\| fgrep -v -f "$LOCAL_IPS" \
	\| awk -v t="$ACTIVE_MIN_AGE" '$3 > t {print $0}' \
	\| fgrep -o -f "$IPSET_CLIENT_IPS" \
	\| sort \| uniq \| wc -l
	fi
	done

	rm $LOCAL_IPS $IPSET_CLIENT_IPS
	exit 0