Date: Mon, 07 Jan 2002 08:23:08 +0100 From: =?iso-8859-1?Q?Ga=EBl?= Roualland <gael.roualland@dial.oleane.com> To: cjclark@alum.mit.edu Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Reporting last packet that will get logged Message-ID: <3C394CDC.4BD0AB6E@dial.oleane.com> References: <3C38FC27.CC1E8AC9@dial.oleane.com> <20020106230118.F2029@gohan.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J. Clark" a écrit : > > On Mon, Jan 07, 2002 at 02:38:47AM +0100, Gaël Roualland wrote: > > Hello, > > > > ipfw has a nice feature of logging limit to avoid flooding the logs; > > However, one needs to reset them regurlarly, and this outputs annoying > > logging messages while often the reset wouldn't have been needed... > > > > To solve this, a while back I did a simple patch to the 4.2 ipfw(8) > > command to be able to report the number of the last packet that will be > > logged on a rule which has logging enabled, before the logging limit is > > reached. This allows to resetlogs only when one rule has reached (or is > > close to reach) its limit. > > > > Maybe this could be a feature to add to the stock ipfw command ? > > First of all, I really don't see what is so annoying about a single > log entry. A script doing some sort of analysis can easily ignore them > and a obviously a human reader can easily skip them over. > > Second, I think this is a rather awkward way to handle this. The > "reset" messages are logged at the "notice" level while 'log' rules > are logged at "info." This can be used to separate them. Sure, this is something that can be easily handled with other ways, I just find it nicer/usefull to be able to do it another way, and it doesn't need a lot to be reported since the information is present in the data structure. > Finally, I'm not sure I'm clear on, "the number of the last packet > that will be logged," means. This is actually what the kernel structures uses (at least on 4.2), but it is quite easy to convert to something more user friendly, I agree :) > I'm thinking adding a field to the 'show' > or 'list' commands when a flag is given, say '-l' for "limit," that > shows where the counter currently is would be more > straightforward. So, > > # ipfw -l list 1000 > 01000 456 deny log logamount 1000 ip from any to any > > We've logged 456 packets since the last reset. We can quickly figure > out there are 544 more to be logged before we hit the limit. That would be perfectly fine, Gaël. -- Gaël Roualland -+- gael.roualland@dial.oleane.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C394CDC.4BD0AB6E>