Re: [RFC PATCH nft 0/6] flow statement

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC PATCH nft 0/6] flow statement
Date: Tue, 10 Nov 2015 18:22:10 +0000	[thread overview]
Message-ID: <20151110182210.GC25929@macbook.localdomain> (raw)
In-Reply-To: <20151110165156.GA3227@salvia>

On 10.11, Pablo Neira Ayuso wrote:
> Hi Patrick,
> 
> On Fri, Nov 06, 2015 at 06:34:17PM +0000, Patrick McHardy wrote:
> > The following patches add support for the flow statement, which allows to
> > dynamically instantiate stateful statements fow an arbitrary defined flow
> > key.
> >
> > Currently we have to stateful statements, counter and limit. This example
> > shows some accounting possibilities using the counter statement. Please note
> > that the output format is still WIP and not included in this patchset:
> >
> > # nft filter input flow table test iif . tcp flags counter
> 
> This looks very good to me :-).
> 
> > # nft list flow table filter test
> > iface_index	tcp_flag	statement
> > lo		fin | psh | urg	counter packets 1002 bytes 40080
> > wlp2s0		fin | ack	counter packets 3 bytes 156
> > wlp2s0		ack		counter packets 32 bytes 18440
> > wlp2s0		syn | ack 	counter packets 5 bytes 300
> > wlp2s0		psh | ack	counter packets 57 bytes 13804
> > lo		rst | ack	counter packets 998 bytes 39920
> > 
> > # nft filter output flow table uidacct skuid . oif . ip protocol counter
> > # nft list flow table filter uidacct
> 
> BTW, I can see the content is currently listed (in the non-pretty
> output format) through:
> 
>         nft list set filter test
> 
> so I can see how that flow table gets populated with entries.

Yes, for now this is not explicitly surpressed.

> >From the syntax perspective, I'm aware this the general definition in
> the industry for this is 'flow table' but my only concern here with
> this denomination is that we already have in our own tables with quite
> different semantics.

You mean our rule tables? Yeah, but this is explicitly qualified as
"flow" table. I don't really think there is much room for confusion.

I'm open to suggestions of course.

> Moreover, the fact that we can list this as sets (since they are
> actually using the generic nf_tables set infrastructure) may be
> confusing to users.

That is only until we have explicit listing for these. I'll hide them
from the set view then.

> BTW, should we have implicit and explicit flow tables just like sets?

So far explicit flow tables don't make sense since the kernel enforces
that only a single binding exists. I've added this since the desired
semantics of shared flow tables have to be hashed out first and I didn't
want to commit to something without thinking it through.

next prev parent reply	other threads:[~2015-11-10 18:22 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-06 18:34 [RFC PATCH nft 0/6] flow statement Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 1/6] set: allow non-constant implicit set declarations Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 2/6] set: explicitly supply name to " Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 3/6] netlink_delinearize: support parsing individual expressions not embedded in rules Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 4/6] set_elem: parse expressions attached to set elements Patrick McHardy
2015-11-11 12:37   ` Pablo Neira Ayuso
2015-11-11 16:18     ` Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 5/6] stmt: allow to generate stateful statements outside of rule context Patrick McHardy
2015-11-06 18:34 ` [RFC PATCH nft 6/6] nft: add flow statement Patrick McHardy
2015-11-10 16:51 ` [RFC PATCH nft 0/6] " Pablo Neira Ayuso
2015-11-10 17:59   ` Bjørnar Ness
2015-11-10 18:23     ` Patrick McHardy
2015-11-10 18:26       ` Pablo Neira Ayuso
2015-11-10 18:22   ` Patrick McHardy [this message]
2015-11-16 13:00 ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151110182210.GC25929@macbook.localdomain \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).