Re[2]: ipfw counters for tables

2012-07-23 Thread Eugen Konkov 
Здравствуйте, Ian.

Вы писали 23 июля 2012 г., 8:27:50:

IS In freebsd-questions Digest, Vol 424, Issue 10, Message: 10
IS On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov kes-...@yandex.ru wrote:

IS Hi Eugen,

  I use ipfw tables to allow host to access to internet.
  is there counter for matched packets/bytes for table entry like for 
  ipfw rule?
  
  #ipfw show 901
  rule packetsbytes
  00901  302271108  27717115967 allow ip from 10.10.1.3 to any
  
  #ipfw table 7 list
  ---table(7)---
  10.7.60.41/32 100
  
  No counters here (((

IS No, there are no individual counters for matched entries in tables.  
IS Apart from extra space cost, the accounting time cost would be huge; 
IS lookups are fast but updating radix trees per match would be very slow.

IS Also, a table may be referenced in multiple rules, or even twice in the
IS same rule, so what could such a count really indicate?

IS Of course, counts for matching the table are in the rule/s concerned:

IS 16100583003060562 deny log logamount 20 ip from table(1) to any in 
recv ng0
IS 16200 4449 226060 deny log logamount 20 tcp from
IS table(25) to any dst-port 25,110 in recv ng0 setup
IS 23000   45   2700 allow log logamount 100 tcp from
IS table(22) to w.x.y.z dst-port 22 in recv ng0 setup

but if lookup function will return matched entry, then calling rule
may update appropriate counter.

matchedentry= lookup_table( PACKETDATA );
updatecounter(matchedentry);

#ipfw show 16100
16100583003060562 deny *counttable* log logamount 20 ip from table(1) 
to any in recv ng0
 5300 10.5.0.1/32
   300562 10.5.0.7/32
  8000  6 10.5.0.2/32

will this be slow?


IS Myself, I'd be more interested in a last-match timestamp than a count 
IS for table entries, but that won't happen either for the above reasons :)

IS cheers, Ian




-- 
С уважением,
 Eugen  mailto:kes-...@yandex.ru

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re[2]: ipfw counters for tables

2012-07-23 Thread Ian Smith 
On Mon, 23 Jul 2012 13:13:47 +0300, Eugen Konkov wrote:
  , Ian.
  ?? ?? 23  2012 ?., 8:27:50:
  IS In freebsd-questions Digest, Vol 424, Issue 10, Message: 10
  IS On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov kes-...@yandex.ru 
  wrote:
  IS Hi Eugen,
  
I use ipfw tables to allow host to access to internet.
is there counter for matched packets/bytes for table entry like for 
ipfw rule?

#ipfw show 901
rule packetsbytes
00901  302271108  27717115967 allow ip from 10.10.1.3 to any

#ipfw table 7 list
---table(7)---
10.7.60.41/32 100

No counters here (((
  
  IS No, there are no individual counters for matched entries in tables.  
  IS Apart from extra space cost, the accounting time cost would be huge; 
  IS lookups are fast but updating radix trees per match would be very slow.

Sorry, I was likely wrong about time cost.  Once you find an entry it's 
there for the updating, but you will have to use write locking on table 
entries, perhaps they're just read locked for lookups now?  I haven't 
read ipfw for years.  Adding new table entries is what's really slow.

  IS Also, a table may be referenced in multiple rules, or even twice in the
  IS same rule, so what could such a count really indicate?

I guess you'll know how you want to use them, so objection overruled :)

  IS Of course, counts for matching the table are in the rule/s concerned:
  
  IS 16100583003060562 deny log logamount 20 ip from table(1) to any 
  in recv ng0
  IS 16200 4449 226060 deny log logamount 20 tcp from
  IS table(25) to any dst-port 25,110 in recv ng0 setup
  IS 23000   45   2700 allow log logamount 100 tcp from
  IS table(22) to w.x.y.z dst-port 22 in recv ng0 setup

  but if lookup function will return matched entry, then calling rule
  may update appropriate counter.

Sounds like a good experiment in your local codebase, with some tests 
for speed and space costs?  64 bit counters?  Might as well store the 
32 bit timestamp too, just like the rule updating code does, I guess?

  matchedentry= lookup_table( PACKETDATA );
  updatecounter(matchedentry);

Code it up :)  Post to freebsd-ipfw@ and see what Luigi and crew say.

  #ipfw show 16100
  16100583003060562 deny *counttable* log logamount 20 ip from 
  table(1) to any in recv ng0
   5300 10.5.0.1/32
 300562 10.5.0.7/32
8000  6 10.5.0.2/32
  
  will this be slow?

Well, display is from userland ipfw, where slow isn't very relevant. 
It'll be what it adds to kernel code and memory requirements that may 
matter.  I'm not sure how you could make this feature optional, short of 
a kernel config option .. but what do I know?

  IS Myself, I'd be more interested in a last-match timestamp than a count 
  IS for table entries, but that won't happen either for the above reasons :)

I often use ipfw -t show (or -ted show) so I guess with -t or -T it may 
show last access timestamps along with packet/byte counts too, as usual?

I'll be happy to test it when you've got working patches.

cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: ipfw counters for tables

2012-07-22 Thread Ian Smith 
In freebsd-questions Digest, Vol 424, Issue 10, Message: 10
On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov kes-...@yandex.ru wrote:

Hi Eugen,

  I use ipfw tables to allow host to access to internet.
  is there counter for matched packets/bytes for table entry like for 
  ipfw rule?
  
  #ipfw show 901
  rule packetsbytes
  00901  302271108  27717115967 allow ip from 10.10.1.3 to any
  
  #ipfw table 7 list
  ---table(7)---
  10.7.60.41/32 100
  
  No counters here (((

No, there are no individual counters for matched entries in tables.  
Apart from extra space cost, the accounting time cost would be huge; 
lookups are fast but updating radix trees per match would be very slow.

Also, a table may be referenced in multiple rules, or even twice in the 
same rule, so what could such a count really indicate?

Of course, counts for matching the table are in the rule/s concerned:

16100583003060562 deny log logamount 20 ip from table(1) to any in recv 
ng0
16200 4449 226060 deny log logamount 20 tcp from table(25) to any 
dst-port 25,110 in recv ng0 setup
23000   45   2700 allow log logamount 100 tcp from table(22) to w.x.y.z 
dst-port 22 in recv ng0 setup

Myself, I'd be more interested in a last-match timestamp than a count 
for table entries, but that won't happen either for the above reasons :)

cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

ipfw counters

2007-01-01 Thread Grant Peel 
Hi all,

If I have rules like:

102150   0 count ip from any to 1.2.3.4 via em0
102150   0 count ip from 1.2.3.4 to any via em0

in my ipfw rules, will the rules also count what is sent from those IPs to the 
localhost (127.0.0.1).?

((I am guessing NO, but wanted a second opinion).


-Grant
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw counters

2007-01-01 Thread Andrew Pantyukhin 

On 1/1/07, Grant Peel [EMAIL PROTECTED] wrote:

Hi all,

If I have rules like:

102150   0 count ip from any to 1.2.3.4 via em0
102150   0 count ip from 1.2.3.4 to any via em0

in my ipfw rules, will the rules also count what is sent
from those IPs to the localhost (127.0.0.1).?

((I am guessing NO, but wanted a second opinion).


127.0.0.1 should only be reachable via lo0, but I can
imagine a packet coming from em0 if you omit the usual
protection rules (see stock rc.firewall).
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

IPFW counters.

2005-09-06 Thread Grant Peel 

Hi all,

I am in the midst of setting up bandwidth monitoring for all my domains and 
IPs. To do this I will be using IPFW counter rules and ipa.


Question: I have about 250 domains on each box. to monitor all of them, I 
would need to set up over 500 counter rules, how well will ipfw and freebsd 
4.10 and up) handle this?


-GRant 



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: IPFW counters.

2005-09-06 Thread Glenn Dawson 

At 05:54 AM 9/6/2005, Grant Peel wrote:

Hi all,

I am in the midst of setting up bandwidth monitoring for all my 
domains and IPs. To do this I will be using IPFW counter rules and ipa.


Question: I have about 250 domains on each box. to monitor all of 
them, I would need to set up over 500 counter rules, how well will 
ipfw and freebsd 4.10 and up) handle this?


I tried something like that a while back and while I could create the 
rules just fine, it proved to be very impractical with the amount of 
traffic I was dealing with. (around 20Mbits/sec)


I ended up using netgraph and ng_netflow(4) to export the data to 
another machine that processed all the data.


-Glenn



-GRant

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]