Jason Dixon wrote:
On Aug 27, 2006, at 7:55 AM, Federico Giannici wrote:
I'm setting up a firewall with queues and I'd like to know how much
traffic of a given "class" was ACTUALLY sent out of an interface (i.e.
not dropped by a queue). I mark the classes by means of labels.
I have a couple of questions:
1) Let's assume that every queue contains the traffic of only a single
class. What is the amount of traffic sent OUT of the queue? In the
statistics showed by "pfctl -vs queue" there are two values: one is
the amount of dropped traffic, and the other?
The amount of passed traffic.
Is it the traffic sent OUT, or is the traffic sent INTO the queue (so
I have to subtract the amount of the dropped one)?
Huh?
I mean, if it was the total amount of traffic that ENTERED the queue,
then the traffic that PASSED the queue shaping would have been the
difference of the two values (total traffic - dropped traffic).
But, you are saying that it not the case...
2) If the queues contain the traffic of more than a class, is there a
way to know the amount of traffic that actually was sent out (not
dropped by a queue) for every single class?
The statistics showed by "pfctl -vs labels" count the traffic ENTERED
in the queue, even for "pass OUT" rules?
If a packet matches a rule (or an existing state that matches a rule)
that uses the queue keyword, that packet gets assigned to the queue.
Any passed packets (or dropped packets) that are assigned to a queue
count towards the "passed pkts/bytes" and "dropped pkts/bytes"
statistics shown by "pfctl -vsq".
Perhaps I don't understand your question. The answer seems simple enough.
Let's change the question: is this the correct order of the steps an IP
packet follow?
1) filtering rules for the IN direction of the input interface
2) routing
3) filtering rules for the OUT direction of the output interface
4) queuing in the output interface
Is it right?
So I cannot know the amount of traffic, with a given label, that
actually passed the queue (i.e. was not dropped).
If steps 3 and 4 where inverted, that counting would be possible...
Bye.
--
___________________________________________________
__
|- [EMAIL PROTECTED]
|ederico Giannici http://www.neomedia.it
___________________________________________________
