[RFC PATCH nft 0/6] flow statement

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org
Subject: [RFC PATCH nft 0/6] flow statement
Date: Fri,  6 Nov 2015 18:34:17 +0000	[thread overview]
Message-ID: <1446834863-18610-1-git-send-email-kaber@trash.net> (raw)

The following patches add support for the flow statement, which allows to
dynamically instantiate stateful statements fow an arbitrary defined flow
key.

Currently we have to stateful statements, counter and limit. This example
shows some accounting possibilities using the counter statement. Please note
that the output format is still WIP and not included in this patchset:

# nft filter input flow table test iif . tcp flags counter
# nft list flow table filter test
iface_index	tcp_flag	statement
lo		fin | psh | urg	counter packets 1002 bytes 40080
wlp2s0		fin | ack	counter packets 3 bytes 156
wlp2s0		ack		counter packets 32 bytes 18440
wlp2s0		syn | ack 	counter packets 5 bytes 300
wlp2s0		psh | ack	counter packets 57 bytes 13804
lo		rst | ack	counter packets 998 bytes 39920

# nft filter output flow table uidacct skuid . oif . ip protocol counter
# nft list flow table filter uidacct
uid	iface_index	inet_proto	statement
root	wlp2s0		udp		counter packets 9 bytes 1892
root	wlp2s0		tcp		counter packets 5 bytes 348
chrony	wlp2s0		udp		counter packets 1 bytes 76
kaber	wlp2s0		tcp		counter packets 103 bytes 27038
kaber	wlp2s0		icmp		counter packets 2 bytes 168
kaber	wlp2s0		udp		counter packets 5 bytes 4267
kaber	lo		icmp		counter packets 4 bytes 336

For hashlimit, you'd use (in this example "srcip"-mode") to limit new ssh
connections to 10/second for each source IP:

# nft filter input tcp dport ssh ct state new \
	flow table ssh ip saddr limit 10/second

Timeouts, size limitations and all other set options are supported.

Regarding the missing parts, for proper formatting of the output and making
it sortable, we need to move direct output to printing to buffers. I have
patches which do that and also add generic indentation support, but they are
not suitable for upstream yet.

Comments welcome.

Cheers,
Patrick

Patrick McHardy (6):
  set: allow non-constant implicit set declarations
  set: explicitly supply name to implicit set declarations
  netlink_delinearize: support parsing individual expressions not
    embedded in rules
  set_elem: parse expressions attached to set elements
  stmt: allow to generate stateful statements outside of rule context
  nft: add flow statement

 include/expression.h                |   1 +
 include/linux/netfilter/nf_tables.h |   5 ++
 include/netlink.h                   |   5 +-
 include/rule.h                      |   1 +
 include/statement.h                 |  13 ++++
 src/evaluate.c                      |  48 ++++++++++++--
 src/expression.c                    |   6 ++
 src/netlink.c                       |   2 +
 src/netlink_delinearize.c           | 110 ++++++++++++++++++++++---------
 src/netlink_linearize.c             | 125 +++++++++++++++++++++++++-----------
 src/parser_bison.y                  |  38 +++++++++++
 src/scanner.l                       |   2 +
 src/statement.c                     |  43 ++++++++++++-
 13 files changed, 326 insertions(+), 73 deletions(-)

-- 
2.4.3

next             reply	other threads:[~2015-11-06 18:34 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-06 18:34 Patrick McHardy [this message]
2015-11-06 18:34 ` [RFC PATCH nft 1/6] set: allow non-constant implicit set declarations Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 2/6] set: explicitly supply name to " Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 3/6] netlink_delinearize: support parsing individual expressions not embedded in rules Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 4/6] set_elem: parse expressions attached to set elements Patrick McHardy
2015-11-11 12:37   ` Pablo Neira Ayuso
2015-11-11 16:18     ` Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 5/6] stmt: allow to generate stateful statements outside of rule context Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 6/6] nft: add flow statement Patrick McHardy
2015-11-10 16:51 ` [RFC PATCH nft 0/6] " Pablo Neira Ayuso
2015-11-10 17:59   ` Bjørnar Ness
2015-11-10 18:23     ` Patrick McHardy
2015-11-10 18:26       ` Pablo Neira Ayuso
2015-11-10 18:22   ` Patrick McHardy
2015-11-16 13:00 ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1446834863-18610-1-git-send-email-kaber@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).