[Bug 45] New: Feature: only count packets that get matched in a chain

[bugzilla-daemon@netfilter.org]

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=45

           Summary: Feature: only count packets that get matched in a chain
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ip_tables (kernel)
        AssignedTo: laforge@netfilter.org
        ReportedBy: Omen.Wild@Dartmouth.EDU
                CC: netfilter-buglog@lists.netfilter.org


It would be really nice if there was some way to (optionally) only count packets
in a chain that actually matched a rule /in/ that chain.  Example:

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source    destination
3      981  3155 IPSEC      all  --  *      *       0.0.0.0/0 0.0.0.0/0          

Chain IPSEC (2 references)
num   pkts bytes target     prot opt in     out     source     destination      
1        10   10 ACCEPT     udp  --  *      *       0.0.0.0/0  0.0.0.0/0 ...
2        0     0 ACCEPT     esp  --  *      *       0.0.0.0/0  0.0.0.0/0
3        0     0 ACCEPT     ah   --  *      *       0.0.0.0/0  0.0.0.0/0

All packets get filtered through the IPSEC chain, but only a few of them
actually get matched, but the main counter shows all the packets that went into
the chain, not the packets that actually got matched in the chain.  Basically, I
would like some way to decrement the chain's packet count if the filtering
returns without matching.  An extra command line option that showed both total
packets to pass through the chain and packets matched in the chain would be great.

Thanks,
   Omen



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.