Re[2]: ipfw counters for tables

From: Eugen Konkov <kes-kes@xxxxxxxxx>
Date: Mon, 23 Jul 2012 13:13:47 +0300

Здравствуйте, Ian.

Вы писали 23 июля 2012 г., 8:27:50:

IS> In freebsd-questions Digest, Vol 424, Issue 10, Message: 10
IS> On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov <kes-kes@xxxxxxxxx> wrote:

IS> Hi Eugen,

I use ipfw tables to allow host to access to internet.
is there counter for matched packets/bytes for table entry like for
ipfw rule?

#ipfw show 901
rule packets bytes
00901 302271108 27717115967 allow ip from 10.10.1.3 to any

#ipfw table 7 list
---table(7)---
10.7.60.41/32 100

No counters here (((

IS> No, there are no individual counters for matched entries in tables.
IS> Apart from extra space cost, the accounting time cost would be huge;
IS> lookups are fast but updating radix trees per match would be very slow.

IS> Also, a table may be referenced in multiple rules, or even twice in the
IS> same rule, so what could such a count really indicate?

IS> Of course, counts for matching the table are in the rule/s concerned:

IS> 16100 58300 3060562 deny log logamount 20 ip from table(1) to any in recv ng0
IS> 16200 4449 226060 deny log logamount 20 tcp from
IS> table(25) to any dst-port 25,110 in recv ng0 setup
IS> 23000 45 2700 allow log logamount 100 tcp from
IS> table(22) to w.x.y.z dst-port 22 in recv ng0 setup

but if lookup function will return matched entry, then calling rule
may update appropriate counter.

matchedentry= lookup_table( PACKETDATA );
updatecounter(matchedentry);

#ipfw show 16100
16100 58300 3060562 deny *counttable* log logamount 20 ip from table(1) to any in recv ng0
50000 3000000 10.5.0.1/32
300 562 10.5.0.7/32
8000 60000 10.5.0.2/32

will this be slow?

IS> Myself, I'd be more interested in a last-match timestamp than a count
IS> for table entries, but that won't happen either for the above reasons :)

IS> cheers, Ian

--
С уважением,
Eugen mailto:kes-kes@xxxxxxxxx

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re[2]: ipfw counters for tables
  - From: Ian Smith

References:
- Re: ipfw counters for tables
  - From: Ian Smith

Prev by Date: Re: "da0: 40.000MB/s transfers" What was rationale behind pegging USB 2.0 at 40MB/s?
Next by Date: Re: How to get Huawei EC1561 USB modem working under FreeBSD 8.2?
Previous by thread: Re: ipfw counters for tables
Next by thread: Re[2]: ipfw counters for tables
Index(es):
- Date
- Thread

Relevant Pages

Re: IPFW: table approvement
... IPFW has 'table' command ... There are situations when you need each entry has multiple values. ... ipfw add XXX tag tablearg all from tableto any ... ipfw add XXX pipe tablearg all from tableto any ...
(freebsd-questions)
Re: ipfw counters for tables
... ipfw rule? ... there are no individual counters for matched entries in tables. ... Apart from extra space cost, the accounting time cost would be huge; ...
(freebsd-questions)
Re: Cant link kernel after recent libalias commits?
... i'll write an entry for UPDATING. ... Shouldn't it still be possible to build a kernel with IPFW but without ... libalias entry points in IPFW - or am I misunderstanding what you are ...
(freebsd-current)
Re: Cant link kernel after recent libalias commits?
... i'll write an entry for UPDATING. ... Shouldn't it still be possible to build a kernel with IPFW but without ... libalias entry points in IPFW - or am I misunderstanding what you are ...
(freebsd-current)
ipfw counters for tables
... I use ipfw tables to allow host to access to internet. ... is there counter for matched packets/bytes for table entry like for ipfw rule? ...
(freebsd-questions)