Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Jul 2012 13:13:47 +0300
From:      Eugen Konkov <kes-kes@yandex.ru>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        freebsd-questions@freebsd.org
Subject:   Re[2]: ipfw counters for tables
Message-ID:  <1443021317.20120723131347@yandex.ru>
In-Reply-To: <20120723144551.K37097@sola.nimnet.asn.au>
References:  <20120722120042.DC8371065678@hub.freebsd.org> <20120723144551.K37097@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
Здравствуйте, Ian.

Вы писали 23 июля 2012 г., 8:27:50:

IS> In freebsd-questions Digest, Vol 424, Issue 10, Message: 10
IS> On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov <kes-kes@yandex.ru> wrote:

IS> Hi Eugen,

 >> I use ipfw tables to allow host to access to internet.
 >> is there counter for matched packets/bytes for table entry like for 
 >> ipfw rule?
 >> 
 >> #ipfw show 901
 >> rule     packets        bytes
 >> 00901  302271108  27717115967 allow ip from 10.10.1.3 to any
 >> 
 >> #ipfw table 7 list
 >> ---table(7)---
 >> 10.7.60.41/32 100
 >> 
 >> No counters here (((

IS> No, there are no individual counters for matched entries in tables.  
IS> Apart from extra space cost, the accounting time cost would be huge; 
IS> lookups are fast but updating radix trees per match would be very slow.

IS> Also, a table may be referenced in multiple rules, or even twice in the
IS> same rule, so what could such a count really indicate?

IS> Of course, counts for matching the table are in the rule/s concerned:

IS> 16100    58300    3060562 deny log logamount 20 ip from table(1) to any in recv ng0
IS> 16200     4449     226060 deny log logamount 20 tcp from
IS> table(25) to any dst-port 25,110 in recv ng0 setup
IS> 23000       45       2700 allow log logamount 100 tcp from
IS> table(22) to w.x.y.z dst-port 22 in recv ng0 setup

but if lookup function will return matched entry, then calling rule
may update appropriate counter.

matchedentry= lookup_table( PACKETDATA );
updatecounter(matchedentry);

#ipfw show 16100
16100    58300    3060562 deny *counttable* log logamount 20 ip from table(1) to any in recv ng0
         50000    3000000 10.5.0.1/32
           300        562 10.5.0.7/32
          8000      60000 10.5.0.2/32

will this be slow?


IS> Myself, I'd be more interested in a last-match timestamp than a count 
IS> for table entries, but that won't happen either for the above reasons :)

IS> cheers, Ian




-- 
С уважением,
 Eugen                          mailto:kes-kes@yandex.ru

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1443021317.20120723131347>