From owner-freebsd-questions@FreeBSD.ORG Mon Jul 23 10:13:56 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D03131065688 for ; Mon, 23 Jul 2012 10:13:56 +0000 (UTC) (envelope-from kes-kes@yandex.ru) Received: from forward3.mail.yandex.net (forward3.mail.yandex.net [IPv6:2a02:6b8:0:602::3]) by mx1.freebsd.org (Postfix) with ESMTP id DAC7C8FC1A for ; Mon, 23 Jul 2012 10:13:55 +0000 (UTC) Received: from smtp4.mail.yandex.net (smtp4.mail.yandex.net [77.88.46.104]) by forward3.mail.yandex.net (Yandex) with ESMTP id 77E16B425E6; Mon, 23 Jul 2012 14:13:54 +0400 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1343038434; bh=tMhYphFWqtywyh+75nvdUxgKZ3j1cN+lmd5wKCu7NMc=; h=Date:From:Reply-To:Message-ID:To:CC:Subject:In-Reply-To: References:MIME-Version:Content-Type:Content-Transfer-Encoding; b=s0Rr4cu7DO42gKr14Mf8LQS4vQZ/2NjFnTUwie72+SDpU52YGU7GaHSqa4xN3fy6j oKyEXRsrxgvrLK1e25zEFo/QyrDeM8D6/hS+x1cm0T6O9vUE4tR3NH/ovUjZksCTXQ tL63uCXVUwQNnr1r1fG6/TecFfyQR2fyhnZ/kPM0= Received: from smtp4.mail.yandex.net (localhost [127.0.0.1]) by smtp4.mail.yandex.net (Yandex) with ESMTP id 542BF5C02B7; Mon, 23 Jul 2012 14:13:54 +0400 (MSK) Received: from unknown (unknown [77.93.52.20]) by smtp4.mail.yandex.net (nwsmtp/Yandex) with ESMTP id DrKiXlGG-DrKKfVlH; Mon, 23 Jul 2012 14:13:53 +0400 X-Yandex-Rcpt-Suid: smithi@nimnet.asn.au X-Yandex-Rcpt-Suid: freebsd-questions@freebsd.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1343038434; bh=tMhYphFWqtywyh+75nvdUxgKZ3j1cN+lmd5wKCu7NMc=; h=Date:From:X-Mailer:Reply-To:Organization:X-Priority:Message-ID:To: CC:Subject:In-Reply-To:References:MIME-Version:Content-Type: Content-Transfer-Encoding; b=o1tJX7OMtjRXDh/E/JrfFCK98F26M6Ky29lT3ec/XpWi9J3dvhfLlPKaYYADyn7Y3 XEGQt764X4r3EPWXt54Jy006RWCBde7AzYkFZ66ncIVHbxa7WkUNjRpjcu39ibfDkZ 57hjDugVN+kabkpzrU8gAaripNXfcTnvBqDPYkfo= Date: Mon, 23 Jul 2012 13:13:47 +0300 From: Eugen Konkov X-Mailer: The Bat! (v4.0.24) Professional Organization: ISP FreeLine X-Priority: 3 (Normal) Message-ID: <1443021317.20120723131347@yandex.ru> To: Ian Smith In-Reply-To: <20120723144551.K37097@sola.nimnet.asn.au> References: <20120722120042.DC8371065678@hub.freebsd.org> <20120723144551.K37097@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re[2]: ipfw counters for tables X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eugen Konkov List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2012 10:13:56 -0000 Здравствуйте, Ian. Вы писали 23 июля 2012 г., 8:27:50: IS> In freebsd-questions Digest, Vol 424, Issue 10, Message: 10 IS> On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov wrote: IS> Hi Eugen, >> I use ipfw tables to allow host to access to internet. >> is there counter for matched packets/bytes for table entry like for >> ipfw rule? >> >> #ipfw show 901 >> rule packets bytes >> 00901 302271108 27717115967 allow ip from 10.10.1.3 to any >> >> #ipfw table 7 list >> ---table(7)--- >> 10.7.60.41/32 100 >> >> No counters here ((( IS> No, there are no individual counters for matched entries in tables. IS> Apart from extra space cost, the accounting time cost would be huge; IS> lookups are fast but updating radix trees per match would be very slow. IS> Also, a table may be referenced in multiple rules, or even twice in the IS> same rule, so what could such a count really indicate? IS> Of course, counts for matching the table are in the rule/s concerned: IS> 16100 58300 3060562 deny log logamount 20 ip from table(1) to any in recv ng0 IS> 16200 4449 226060 deny log logamount 20 tcp from IS> table(25) to any dst-port 25,110 in recv ng0 setup IS> 23000 45 2700 allow log logamount 100 tcp from IS> table(22) to w.x.y.z dst-port 22 in recv ng0 setup but if lookup function will return matched entry, then calling rule may update appropriate counter. matchedentry= lookup_table( PACKETDATA ); updatecounter(matchedentry); #ipfw show 16100 16100 58300 3060562 deny *counttable* log logamount 20 ip from table(1) to any in recv ng0 50000 3000000 10.5.0.1/32 300 562 10.5.0.7/32 8000 60000 10.5.0.2/32 will this be slow? IS> Myself, I'd be more interested in a last-match timestamp than a count IS> for table entries, but that won't happen either for the above reasons :) IS> cheers, Ian -- С уважением, Eugen mailto:kes-kes@yandex.ru