bugzilla-daemon@netfilter.org
2003-Feb-08 03:29 UTC
[Bug 45] New: Feature: only count packets that get matched in a chain
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=45
Summary: Feature: only count packets that get matched in a chain
Product: netfilter/iptables
Version: linux-2.4.x
Platform: i386
OS/Version: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: ip_tables (kernel)
AssignedTo: laforge@netfilter.org
ReportedBy: Omen.Wild@Dartmouth.EDU
CC: netfilter-buglog@lists.netfilter.org
It would be really nice if there was some way to (optionally) only count packets
in a chain that actually matched a rule /in/ that chain. Example:
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
3 981 3155 IPSEC all -- * * 0.0.0.0/0 0.0.0.0/0
Chain IPSEC (2 references)
num pkts bytes target prot opt in out source destination
1 10 10 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ...
2 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
All packets get filtered through the IPSEC chain, but only a few of them
actually get matched, but the main counter shows all the packets that went into
the chain, not the packets that actually got matched in the chain. Basically, I
would like some way to decrement the chain's packet count if the filtering
returns without matching. An extra command line option that showed both total
packets to pass through the chain and packets matched in the chain would be
great.
Thanks,
Omen
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
Maybe Matching Threads
- [Bug 45] Feature: only count packets that get matched in a chain
- IPSEc versus Multipath routing
- DNAT not working after changing BIND to use views
- [Bug 488] New: Chain/Groupings of networks don't total pkts and bytes correctly
- [Bug 577] New: cannot set spi/reqid numbers higher than 0x7fffffff (policy match)
Wisdom of the Ancients
