From: Luciano Coelho <luciano.coelho@nokia.com>
To: ext Jan Engelhardt <jengelh@medozas.de>
Cc: "kaber@trash.net" <kaber@trash.net>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH] netfilter: xtables: inclusion of xt_condition
Date: Fri, 16 Jul 2010 15:16:01 +0300 [thread overview]
Message-ID: <1279282561.1603.73.camel@powerslave> (raw)
In-Reply-To: <alpine.LSU.2.01.1007161353060.18961@obet.zrqbmnf.qr>
On Fri, 2010-07-16 at 13:54 +0200, ext Jan Engelhardt wrote:
> On Friday 2010-07-16 13:31, Luciano Coelho wrote:
> >
> >> >As you may have seen in my earlier rfc email, I'm interested in
> >> >something similar to the condition match. I'm not sure whether the best
> >> >approach is to create a CONDITION target where we can set the condition
> >> >variable in the iptables itself or if it is better to create a new
> >> >"variable match" and an accompanying "VARIABLE target" that keeps the
> >> >variables in memory, instead of using procfs.
> >>
> >> procfs is in memory :)
> >
> >Yes, of course, but I meant without exporting it to procfs. ;) That
> >would probably make the code a lot simpler (actually I can't imagine a
> >simpler match/target than a "variable" match/target ;)
>
> Well, if not procfs, what should influence this anonymous variable?
> The weather? (No really, that came up at last NFWS. Using a userspace
> program, you can write into the procfs file and thus firewall based upon
> storm and thunder....)
Heh! :)
What I need is a state variable that is set and read by netfilter
tables. The idea is to have a state variable high_throughput that will
be set to true (high) or false (low) depending on the rateest results.
This would be used to prevent multiple NFLOG events for the same state
(say, "HIGH") from being sent to userspace.
This is similar to what propose with the condition match:
> With xt_condition that should not be a problem
> (-A INPUT -m condition --name ruleXYZ -j NFLOG..)
> This is settable through procfs.
But without depending on the userspace to change the condition value. I
could have rules like this to change the condition:
-A INPUT -j throughput
-A above -m condition --name hi_thru -j RETURN
-A above -m rateest --rateest throughput --rateest-bps1 0bit --rateest-bps2 1000bit --rateest-gt -j NFLOG --nflog-prefix "HIGH"
-A above -m rateest --rateest throughput --rateest-bps1 0bit --rateest-bps2 1000bit --rateest-gt -j CONDITION --name hi_thru --set 1
-A below -m condition ! --name hi_thru -j RETURN
-A below -m rateest --rateest throughput --rateest-bps1 0bit --rateest-bps2 1000bit --rateest-lt -j NFLOG --nflog-prefix "LOW"
-A below -m rateest --rateest throughput --rateest-bps1 0bit --rateest-bps2 1000bit --rateest-lt -j CONDITION --name hi_thru --set 0
-A throughput -j RATEEST --rateest-name throughput --rateest-interval 250.0ms --rateest-ewmalog 500.0ms
-A throughput -j above
-A throughput -j below
--
Cheers,
Luca.
next prev parent reply other threads:[~2010-07-16 12:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-16 11:10 [PATCH] netfilter: xtables: inclusion of xt_condition Luciano Coelho
2010-07-16 11:20 ` Jan Engelhardt
2010-07-16 11:31 ` Luciano Coelho
2010-07-16 11:54 ` Jan Engelhardt
2010-07-16 12:16 ` Luciano Coelho [this message]
2010-07-16 19:14 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2010-07-17 6:32 Luciano.Coelho
2010-04-21 13:33 nf-next: condition Jan Engelhardt
2010-04-21 13:33 ` [PATCH] netfilter: xtables: inclusion of xt_condition Jan Engelhardt
2010-04-21 13:39 ` Patrick McHardy
2010-04-22 0:05 ` Jan Engelhardt
2010-04-22 10:55 ` Patrick McHardy
2010-04-22 11:14 ` Patrick McHardy
2010-04-22 11:24 ` Patrick McHardy
2010-04-22 11:27 ` Jan Engelhardt
2010-04-22 11:29 ` Patrick McHardy
2010-04-22 11:33 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1279282561.1603.73.camel@powerslave \
--to=luciano.coelho@nokia.com \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.