bugzilla-daemon@netfilter.org
2003-Feb-08 03:29 UTC
[Bug 45] New: Feature: only count packets that get matched in a chain
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=45 Summary: Feature: only count packets that get matched in a chain Product: netfilter/iptables Version: linux-2.4.x Platform: i386 OS/Version: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P2 Component: ip_tables (kernel) AssignedTo: laforge@netfilter.org ReportedBy: Omen.Wild@Dartmouth.EDU CC: netfilter-buglog@lists.netfilter.org It would be really nice if there was some way to (optionally) only count packets in a chain that actually matched a rule /in/ that chain. Example: Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 3 981 3155 IPSEC all -- * * 0.0.0.0/0 0.0.0.0/0 Chain IPSEC (2 references) num pkts bytes target prot opt in out source destination 1 10 10 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ... 2 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 All packets get filtered through the IPSEC chain, but only a few of them actually get matched, but the main counter shows all the packets that went into the chain, not the packets that actually got matched in the chain. Basically, I would like some way to decrement the chain's packet count if the filtering returns without matching. An extra command line option that showed both total packets to pass through the chain and packets matched in the chain would be great. Thanks, Omen ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
Reasonably Related Threads
- [Bug 45] Feature: only count packets that get matched in a chain
- IPSEc versus Multipath routing
- DNAT not working after changing BIND to use views
- [Bug 488] New: Chain/Groupings of networks don't total pkts and bytes correctly
- [Bug 577] New: cannot set spi/reqid numbers higher than 0x7fffffff (policy match)