Date: Mon, 23 Jul 2012 15:27:50 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Eugen Konkov <kes-kes@yandex.ru> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw counters for tables Message-ID: <20120723144551.K37097@sola.nimnet.asn.au> In-Reply-To: <20120722120042.DC8371065678@hub.freebsd.org> References: <20120722120042.DC8371065678@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 424, Issue 10, Message: 10 On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov <kes-kes@yandex.ru> wrote: Hi Eugen, > I use ipfw tables to allow host to access to internet. > is there counter for matched packets/bytes for table entry like for > ipfw rule? > > #ipfw show 901 > rule packets bytes > 00901 302271108 27717115967 allow ip from 10.10.1.3 to any > > #ipfw table 7 list > ---table(7)--- > 10.7.60.41/32 100 > > No counters here ((( No, there are no individual counters for matched entries in tables. Apart from extra space cost, the accounting time cost would be huge; lookups are fast but updating radix trees per match would be very slow. Also, a table may be referenced in multiple rules, or even twice in the same rule, so what could such a count really indicate? Of course, counts for matching the table are in the rule/s concerned: 16100 58300 3060562 deny log logamount 20 ip from table(1) to any in recv ng0 16200 4449 226060 deny log logamount 20 tcp from table(25) to any dst-port 25,110 in recv ng0 setup 23000 45 2700 allow log logamount 100 tcp from table(22) to w.x.y.z dst-port 22 in recv ng0 setup Myself, I'd be more interested in a last-match timestamp than a count for table entries, but that won't happen either for the above reasons :) cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120723144551.K37097>