From owner-freebsd-ipfw Fri Jul 14 23:38: 7 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id E398237C4B1 for ; Fri, 14 Jul 2000 23:38:02 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id IAA24985; Sat, 15 Jul 2000 08:39:32 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200007150639.IAA24985@info.iet.unipi.it> Subject: Re: ipfw accounting problem? .... In-Reply-To: <396FB45F.47307416@worldgate.ca> from Greg Skafte at "Jul 14, 2000 06:46:23 pm" To: Greg Skafte Date: Sat, 15 Jul 2000 08:39:32 +0200 (CEST) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > the way it is implemented is to account packets into the > > dynamic rules and probably also in the "parent" rule (the one > > with "keep-state". > > on a 4.X machine I'm only see the accounting info in the > dynamic rules, not the Parent "keep-state". I'm just wondering > if matches to the "check-state" should have accounting info? the fact is that you can have multiple places where dynamic rules are checked so the info you want can still be split over several different places. Furthermore one check-state match refers to the whole set of dynamic rules so again the info possibly logged in the check-state rule is not that significant anyways. > Some people may have issues with packet accounting being done > in the dynamic rules since some of the rules can expire in as > little as 5 seconds ( yes the timeout can be adjusted by a > sysctl but ..) Well you have to consider that ipfw in general (not only dynamic rules) was not written for accounting purposes. As an example there is no way to read&reset a counter atomically, you must always read the whole ruleset at once, and this requires the whole structure to be copied at splnet(), etc. etc. -- surely this was not a problem when rulesets were manually constructed and possibly small. Things have changed now with dynamic rules and dynamic dummynet pipes where you can have tens of thousands of entries in the ipfw ruleset. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message