Same tcp connections twice in ipfstat -t output

Sun, 15 Jun 2008 13:13:29 -0700 

Hello,
I am using IPF v4.1.28 on FreeBSD7. The firewall is working stable and does what is is supposed to do. So no problems there. 


The following however, I don't expect: In the ipfstat -t output I see  
the same connections (source-ip, port <--> destination-ip, port) twice.

For example (part of output ipfstat -t):


Source IP             Destination IP         ST   PR   #pkts     
#bytes       ttl
80.60.81.93,1363      195.86.22.59,587      B/6  tcp     173     
202746      0:13
80.57.132.26,60464    195.86.22.53,22       4/4  tcp    2393    147824  
119:59:59
80.60.81.93,1363      195.86.22.59,587      B/6  tcp      88     
101445      0:13
80.57.132.26,60477    195.86.22.59,22       4/4  tcp    1077     64400  
119:59:47 (*)
77.162.155.20,49808   195.86.22.50,80       4/4  tcp     203     54140  
119:59:17
77.162.155.20,49807   195.86.22.50,80       4/4  tcp     173     45966  
119:59:16
80.57.132.26,56603    195.86.22.50,80       4/4  tcp     429      
45716  96:09:25
78.171.174.130,1675   195.86.22.54,80       4/4  tcp     145      
45292  90:04:42
85.147.196.239,54166  195.86.22.52,80       4/4  tcp      95     34286  
119:57:45
83.82.139.218,51157   195.86.22.50,80       B/4  tcp     153      
33210      0:12
80.57.132.26,60477    195.86.22.59,22       4/4  tcp     540     32296  
119:59:47 (*)


Marked with * is twice.

The output of ipfstat is:

IP states added:
        1862533 TCP
        523994 UDP
        0 ICMP
        49403681 hits
        9612162 misses
        0 bucket full
        0 maximum rule references
        0 maximum
        0 no memory
        1231 bkts in use
        2496 active
        523940 expired
        1860091 closed
State logging enabled

State table bucket statistics:
        1231 in use     
        49% hash efficiency
        1.89% bucket usage
        0 minimal length
        4 maximal length
        2.028 average length

TCP Entries per state

     0     1     2     3     4     5     6     7     8     9    10     
11
     0     0    24     0  1017   556    12     0    10     0   332    
491



In this output I see that 1231 buckets are in use. Does that mean that  
there are 1231 connections for which state-informattion is kept in  
memory?
I see that there are 2496 'active'. Does that mean that there are 2496  
hashes which point too the 1231 connections? Is that the (1231/2496) =  
49% hash efficiency?



So does ipfstat -t takes the hash-entries and shows the information  
found in the buckets? Does that explain why the output of ipfstat -t  
shows connections twice?

Is this behavior by design or should I worry about it?

Greetings,

Rene van Hoek


 





















					Reply via email to