You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In YANET, we currently have support for counters on each rule (a.k.a. acl counters). However, due to the packet firewall rule lookup happening 'top-down' (yes, our ruleset lookup is constant time, but during compilation, a structure is reproduced as if the packet honestly traverses the ruleset), these acl counters have a significant drawback:
Consider the scenario where we have rule1 and rule2; rule2 intersects with rule1 by mask, and rule1 is positioned higher in the ruleset than rule2.
If a packet passing through the firewall falls into the intersection of masks, it will terminate at rule1, and the acl counters will only be increased for this rule. Consequently, false positive conclusions may arise, indicating that the rule2 is inactive. We aim to avoid this.
Proposed Solution:
Introduce rules of the form add count from IPFW with a slight enhancement: append the counter name to the count separated by a colon.
Example: add count:counter_name <proto> from <src> to <dst>
This enhancement would provide a more accurate reflection of the active rules and prevent misleading interpretations.
The text was updated successfully, but these errors were encountered:
In
YANET, we currently have support for counters on each rule (a.k.a.acl counters). However, due to the packet firewall rulelookuphappening 'top-down' (yes, our rulesetlookupis constant time, but during compilation, a structure is reproduced as if the packet honestly traverses the ruleset), theseacl countershave a significant drawback:Consider the scenario where we have
rule1andrule2;rule2intersects withrule1by mask, andrule1is positioned higher in the ruleset thanrule2.If a packet passing through the firewall falls into the intersection of masks, it will terminate at
rule1, and theacl counterswill only be increased for this rule. Consequently,false positiveconclusions may arise, indicating that therule2is inactive. We aim to avoid this.Proposed Solution:
Introduce rules of the form
add countfromIPFWwith a slight enhancement: append the counter name to thecountseparated by a colon.Example:
add count:counter_name <proto> from <src> to <dst>This enhancement would provide a more accurate reflection of the active rules and prevent misleading interpretations.
The text was updated successfully, but these errors were encountered: