Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Jul 2012 15:27:50 +1000 (EST)
From:      Ian Smith <>
To:        Eugen Konkov <>
Subject:   Re: ipfw counters for tables
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
In freebsd-questions Digest, Vol 424, Issue 10, Message: 10
On Sun, 22 Jul 2012 14:55:46 +0300 Eugen Konkov <> wrote:

Hi Eugen,

 > I use ipfw tables to allow host to access to internet.
 > is there counter for matched packets/bytes for table entry like for 
 > ipfw rule?
 > #ipfw show 901
 > rule     packets        bytes
 > 00901  302271108  27717115967 allow ip from to any
 > #ipfw table 7 list
 > ---table(7)---
 > 100
 > No counters here (((

No, there are no individual counters for matched entries in tables.  
Apart from extra space cost, the accounting time cost would be huge; 
lookups are fast but updating radix trees per match would be very slow.

Also, a table may be referenced in multiple rules, or even twice in the 
same rule, so what could such a count really indicate?

Of course, counts for matching the table are in the rule/s concerned:

16100    58300    3060562 deny log logamount 20 ip from table(1) to any in recv ng0
16200     4449     226060 deny log logamount 20 tcp from table(25) to any dst-port 25,110 in recv ng0 setup
23000       45       2700 allow log logamount 100 tcp from table(22) to w.x.y.z dst-port 22 in recv ng0 setup

Myself, I'd be more interested in a last-match timestamp than a count 
for table entries, but that won't happen either for the above reasons :)

cheers, Ian

Want to link to this message? Use this URL: <>