ipfw counters for tables
Ian Smith
smithi at nimnet.asn.au
Mon Jul 23 05:36:34 UTC 2012
In freebsd-questions Digest, Vol 424, Issue 10, Message: 10
On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov <kes-kes at yandex.ru> wrote:
Hi Eugen,
> I use ipfw tables to allow host to access to internet.
> is there counter for matched packets/bytes for table entry like for
> ipfw rule?
>
> #ipfw show 901
> rule packets bytes
> 00901 302271108 27717115967 allow ip from 10.10.1.3 to any
>
> #ipfw table 7 list
> ---table(7)---
> 10.7.60.41/32 100
>
> No counters here (((
No, there are no individual counters for matched entries in tables.
Apart from extra space cost, the accounting time cost would be huge;
lookups are fast but updating radix trees per match would be very slow.
Also, a table may be referenced in multiple rules, or even twice in the
same rule, so what could such a count really indicate?
Of course, counts for matching the table are in the rule/s concerned:
16100 58300 3060562 deny log logamount 20 ip from table(1) to any in recv ng0
16200 4449 226060 deny log logamount 20 tcp from table(25) to any dst-port 25,110 in recv ng0 setup
23000 45 2700 allow log logamount 100 tcp from table(22) to w.x.y.z dst-port 22 in recv ng0 setup
Myself, I'd be more interested in a last-match timestamp than a count
for table entries, but that won't happen either for the above reasons :)
cheers, Ian
More information about the freebsd-questions
mailing list