Re: Same tcp connections twice in ipfstat -t output

Sun, 15 Jun 2008 20:55:29 -0700 

Rene van Hoek wrote:

Hello,
I am using IPF v4.1.28 on FreeBSD7. The firewall is working stable and does what is is supposed to do. So no problems there.
The following however, I don't expect: In the ipfstat -t output I see the same connections (source-ip, port <--> destination-ip, port) twice. 
For example (part of output ipfstat -t):
Source IP Destination IP ST PR #pkts #bytes ttl 80.60.81.93,1363 195.86.22.59,587 B/6 tcp 173 202746 0:13 80.57.132.26,60464 195.86.22.53,22 4/4 tcp 2393 147824 119:59:59 80.60.81.93,1363 195.86.22.59,587 B/6 tcp 88 101445 0:13 80.57.132.26,60477 195.86.22.59,22 4/4 tcp 1077 64400 119:59:47 (*) 77.162.155.20,49808 195.86.22.50,80 4/4 tcp 203 54140 119:59:17 77.162.155.20,49807 195.86.22.50,80 4/4 tcp 173 45966 119:59:16 80.57.132.26,56603 195.86.22.50,80 4/4 tcp 429 45716 96:09:25 78.171.174.130,1675 195.86.22.54,80 4/4 tcp 145 45292 90:04:42 85.147.196.239,54166 195.86.22.52,80 4/4 tcp 95 34286 119:57:45 83.82.139.218,51157 195.86.22.50,80 B/4 tcp 153 33210 0:12 80.57.132.26,60477 195.86.22.59,22 4/4 tcp 540 32296 119:59:47 (*) 

Marked with * is twice.

The output of ipfstat is:

IP states added:
    1862533 TCP
    523994 UDP
    0 ICMP
    49403681 hits
    9612162 misses
    0 bucket full
    0 maximum rule references
    0 maximum
    0 no memory
    1231 bkts in use
    2496 active
    523940 expired
    1860091 closed
State logging enabled

State table bucket statistics:
1231 in use 49% hash efficiency 
    1.89% bucket usage
    0 minimal length
    4 maximal length
    2.028 average length

TCP Entries per state
     0     1     2     3     4     5     6     7     8     9    10    11
     0     0    24     0  1017   556    12     0    10     0   332   491
In this output I see that 1231 buckets are in use. Does that mean that there are 1231 connections for which state-informattion is kept in memory? 

No.  It is hash table terminology.
I see that there are 2496 'active'. Does that mean that there are 2496 hashes which point too the 1231 connections? Is that the (1231/2496) = 49% hash efficiency? 

No and yes.
So does ipfstat -t takes the hash-entries and shows the information found in the buckets? Does that explain why the output of ipfstat -t shows connections twice? 
Is this behavior by design or should I worry about it?


hmmm... so it could be the mechanism used to get state entries out
of the kernel is walking through a very active list and that it changes
between the first and the n-th, displaying an entry twice.

Darren

Reply via email to