[PATCH nft 0/6] add support for conntrack counters

[PATCH nft 0/6] add support for conntrack counters

[Florian Westphal]

Adds support for tests like

ct original packets > 10
ct reply packets > 10
ct packets > 10

The latter returns the counter for both original and reply (i.e. sum).

Needs the two kernel patches:
nftables: ct: add byte/packet counter support
nftables: byteorder: provide le/be 64 bit conversion helper

That were posted earlier.  Let me know if you spot issues.

Thanks.

[PATCH libnftnl 1/6] src: ct: add packet and byte counter support

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter/nf_tables.h | 2 ++
 src/expr/ct.c                       | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index f77693b..7091d91 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -755,6 +755,8 @@ enum nft_ct_keys {
 	NFT_CT_PROTO_SRC,
 	NFT_CT_PROTO_DST,
 	NFT_CT_LABELS,
+	NFT_CT_PKTS,
+	NFT_CT_BYTES,
 };
 
 /**
diff --git a/src/expr/ct.c b/src/expr/ct.c
index 584dffe..4bee6b1 100644
--- a/src/expr/ct.c
+++ b/src/expr/ct.c
@@ -32,7 +32,7 @@ struct nftnl_expr_ct {
 #define IP_CT_DIR_REPLY		1
 
 #ifndef NFT_CT_MAX
-#define NFT_CT_MAX (NFT_CT_LABELS + 1)
+#define NFT_CT_MAX (NFT_CT_BYTES + 1)
 #endif
 
 static int
@@ -167,6 +167,8 @@ const char *ctkey2str_array[NFT_CT_MAX] = {
 	[NFT_CT_PROTO_SRC]	= "proto_src",
 	[NFT_CT_PROTO_DST]	= "proto_dst",
 	[NFT_CT_LABELS]		= "label",
+	[NFT_CT_PKTS]		= "packets",
+	[NFT_CT_BYTES]		= "bytes",
 };
 
 static const char *ctkey2str(uint32_t ctkey)
-- 
2.4.10

[PATCH nft 2/6] nft: swap key and direction in ct_dir syntax

[Florian Westphal]

old: ct saddr original 1.2.3.4
new: ct original saddr 1.2.3.4

The advantage is that this allows to add ct keys where direction is optional
without creating ambiguities in the parser.

So we can have
ct packets gt 42
ct original packets gt 42

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/ct.c                 | 13 ++++++-------
 src/parser_bison.y       |  6 +++---
 tests/py/any/ct.t        |  8 ++++++++
 tests/py/ip/ct.t         | 26 +++++++++++++-------------
 tests/py/ip/ct.t.payload | 22 +++++++++++-----------
 5 files changed, 41 insertions(+), 34 deletions(-)

diff --git a/src/ct.c b/src/ct.c
index 515e3eb..ff6cd61 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -209,19 +209,18 @@ static void ct_expr_print(const struct expr *expr)
 {
 	const struct symbolic_constant *s;
 
-	printf("ct %s", ct_templates[expr->ct.key].token);
-
+	printf("ct ");
 	if (expr->ct.direction < 0)
-		return;
+		goto done;
 
 	for (s = ct_dir_tbl.symbols; s->identifier != NULL; s++) {
 		if (expr->ct.direction == (int) s->value) {
-			printf(" %s", s->identifier);
-			return;
+			printf("%s ", s->identifier);
+			break;
 		}
 	}
-
-	printf(" %d", expr->ct.direction);
+ done:
+	printf("%s", ct_templates[expr->ct.key].token);
 }
 
 static bool ct_expr_cmp(const struct expr *e1, const struct expr *e2)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index fcd4813..0ba6f7c 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2268,18 +2268,18 @@ ct_expr			: 	CT	ct_key
 			{
 				$$ = ct_expr_alloc(&@$, $2, -1);
 			}
-			|	CT	ct_key_dir 	STRING
+			|	CT	STRING	ct_key_dir
 			{
 				struct error_record *erec;
 				int8_t direction;
 
-				erec = ct_dir_parse(&@$, $3, &direction);
+				erec = ct_dir_parse(&@$, $2, &direction);
 				if (erec != NULL) {
 					erec_queue(erec, state->msgs);
 					YYERROR;
 				}
 
-				$$ = ct_expr_alloc(&@$, $2, direction);
+				$$ = ct_expr_alloc(&@$, $3, direction);
 			}
 			;
 
diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index d402252..a0a2590 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -109,3 +109,11 @@ ct state . ct mark { new . 0x12345678};ok
 ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634};ok
 ct direction . ct mark { original . 0x12345678};ok
 ct state . ct mark vmap { new . 0x12345678 : drop};ok
+
+# missing direction
+ct saddr 1.2.3.4;fail
+
+# direction, but must be used without
+ct original mark 42;fail
+# swapped key and direction
+ct mark original;fail
diff --git a/tests/py/ip/ct.t b/tests/py/ip/ct.t
index 28ad766..042f94e 100644
--- a/tests/py/ip/ct.t
+++ b/tests/py/ip/ct.t
@@ -2,22 +2,22 @@
 
 :output;type filter hook output priority 0
 
-ct saddr original 192.168.0.1;ok
-ct saddr reply 192.168.0.1;ok
-ct daddr original 192.168.0.1;ok
-ct daddr reply 192.168.0.1;ok
+ct original saddr 192.168.0.1;ok
+ct reply saddr 192.168.0.1;ok
+ct original daddr 192.168.0.1;ok
+ct reply daddr 192.168.0.1;ok
 
 # same, but with a netmask
-ct saddr original 192.168.1.0/24;ok
-ct saddr reply 192.168.1.0/24;ok
-ct daddr original 192.168.1.0/24;ok
-ct daddr reply 192.168.1.0/24;ok
+ct original saddr 192.168.1.0/24;ok
+ct reply saddr 192.168.1.0/24;ok
+ct original daddr 192.168.1.0/24;ok
+ct reply daddr 192.168.1.0/24;ok
 
-ct l3proto original ipv4;ok
-ct l3proto reply foobar;fail
+ct original l3proto ipv4;ok
+ct reply l3proto foobar;fail
 
-ct protocol original 6 ct proto-dst original 22;ok
-ct protocol original 17 ct proto-src reply 53;ok
+ct original protocol 6 ct original proto-dst 22;ok
+ct original protocol 17 ct reply proto-src 53;ok
 
 # wrong address family
-ct daddr reply dead::beef;fail
+ct reply daddr dead::beef;fail
diff --git a/tests/py/ip/ct.t.payload b/tests/py/ip/ct.t.payload
index e06d988..0449b07 100644
--- a/tests/py/ip/ct.t.payload
+++ b/tests/py/ip/ct.t.payload
@@ -1,60 +1,60 @@
-# ct saddr original 192.168.0.1
+# ct original saddr 192.168.0.1
 ip test-ip4 output
   [ ct load src => reg 1 , dir original ]
   [ cmp eq reg 1 0x0100a8c0 ]
 
-# ct saddr reply 192.168.0.1
+# ct reply saddr 192.168.0.1
 ip test-ip4 output
   [ ct load src => reg 1 , dir reply ]
   [ cmp eq reg 1 0x0100a8c0 ]
 
-# ct daddr original 192.168.0.1
+# ct original daddr 192.168.0.1
 ip test-ip4 output
   [ ct load dst => reg 1 , dir original ]
   [ cmp eq reg 1 0x0100a8c0 ]
 
-# ct daddr reply 192.168.0.1
+# ct reply daddr 192.168.0.1
 ip test-ip4 output
   [ ct load dst => reg 1 , dir reply ]
   [ cmp eq reg 1 0x0100a8c0 ]
 
-# ct saddr original 192.168.1.0/24
+# ct original saddr 192.168.1.0/24
 ip test-ip4 output
   [ ct load src => reg 1 , dir original ]
   [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x0001a8c0 ]
 
-# ct saddr reply 192.168.1.0/24
+# ct reply saddr 192.168.1.0/24
 ip test-ip4 output
   [ ct load src => reg 1 , dir reply ]
   [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x0001a8c0 ]
 
-# ct daddr original 192.168.1.0/24
+# ct original daddr 192.168.1.0/24
 ip test-ip4 output
   [ ct load dst => reg 1 , dir original ]
   [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x0001a8c0 ]
 
-# ct daddr reply 192.168.1.0/24
+# ct reply daddr 192.168.1.0/24
 ip test-ip4 output
   [ ct load dst => reg 1 , dir reply ]
   [ bitwise reg 1 = (reg=1 & 0x00ffffff ) ^ 0x00000000 ]
   [ cmp eq reg 1 0x0001a8c0 ]
 
-# ct l3proto original ipv4
+# ct original l3proto ipv4
 ip test-ip4 output
   [ ct load l3protocol => reg 1 , dir original ]
   [ cmp eq reg 1 0x00000002 ]
 
-# ct protocol original 6 ct proto-dst original 22
+# ct original protocol 6 ct original proto-dst 22
 ip test-ip4 output
   [ ct load protocol => reg 1 , dir original ]
   [ cmp eq reg 1 0x00000006 ]
   [ ct load proto_dst => reg 1 , dir original ]
   [ cmp eq reg 1 0x00001600 ]
 
-# ct protocol original 17 ct proto-src reply 53
+# ct original protocol 17 ct reply proto-src 53
 ip test-ip4 output
   [ ct load protocol => reg 1 , dir original ]
   [ cmp eq reg 1 0x00000011 ]
-- 
2.4.10

[PATCH nft 3/6] ct: add packet/byte counter support

[Florian Westphal]

packets and bytes need special treatment -- we want to be able to get
packet/byte counter in either direction, but also express
'fetch in *BOTH* directions', i.e.

ct packets original + ct packets reply > 1000

This either requires a '+' expression, a new 'both' direction, or
keys where direction is optional, i.e.

ct packets > 12345	; original + reply
ct original packets > 12345 ; original

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/linux/netfilter/nf_tables.h | 2 ++
 src/ct.c                            | 4 ++++
 src/parser_bison.y                  | 8 +++++++-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 70a9619..49de2b8 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -744,6 +744,8 @@ enum nft_ct_keys {
 	NFT_CT_PROTO_SRC,
 	NFT_CT_PROTO_DST,
 	NFT_CT_LABELS,
+	NFT_CT_PKTS,
+	NFT_CT_BYTES,
 };
 
 /**
diff --git a/src/ct.c b/src/ct.c
index ff6cd61..b971ba1 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -203,6 +203,10 @@ static const struct ct_template ct_templates[] = {
 	[NFT_CT_LABELS]		= CT_TEMPLATE("label", &ct_label_type,
 					      BYTEORDER_HOST_ENDIAN,
 					      CT_LABEL_BIT_SIZE),
+	[NFT_CT_BYTES]		= CT_TEMPLATE("bytes", &integer_type,
+					      BYTEORDER_HOST_ENDIAN, 64),
+	[NFT_CT_PKTS]		= CT_TEMPLATE("packets", &integer_type,
+					      BYTEORDER_HOST_ENDIAN, 64),
 };
 
 static void ct_expr_print(const struct expr *expr)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 0ba6f7c..7690ecc 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -567,7 +567,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 
 %type <expr>			ct_expr
 %destructor { expr_free($$); }	ct_expr
-%type <val>			ct_key		ct_key_dir
+%type <val>			ct_key		ct_key_dir	ct_key_counters
 
 %type <val>			export_format
 %type <string>			monitor_event
@@ -2290,6 +2290,7 @@ ct_key			:	STATE		{ $$ = NFT_CT_STATE; }
 			|	EXPIRATION	{ $$ = NFT_CT_EXPIRATION; }
 			|	HELPER		{ $$ = NFT_CT_HELPER; }
 			|	LABEL		{ $$ = NFT_CT_LABELS; }
+			|	ct_key_counters
 			;
 ct_key_dir		:	SADDR		{ $$ = NFT_CT_SRC; }
 			|	DADDR		{ $$ = NFT_CT_DST; }
@@ -2297,6 +2298,11 @@ ct_key_dir		:	SADDR		{ $$ = NFT_CT_SRC; }
 			|	PROTOCOL	{ $$ = NFT_CT_PROTOCOL; }
 			|	PROTO_SRC	{ $$ = NFT_CT_PROTO_SRC; }
 			|	PROTO_DST	{ $$ = NFT_CT_PROTO_DST; }
+			|	ct_key_counters
+			;
+
+ct_key_counters		:	BYTES		{ $$ = NFT_CT_BYTES; }
+			|	PACKETS		{ $$ = NFT_CT_PKTS; }
 			;
 
 ct_stmt			:	CT	ct_key		SET	expr
-- 
2.4.10

[PATCH nft 4/6] netlink_linearize: use u64 conversion for 64bit quantities

[Florian Westphal]

nft generated two 4-byte swaps for conntrack byte/packet counters,
which are 64bit host-endian values:

byteorder reg 1 = hton(reg 1, 4, 8) ]

This makes the kernel perform two htonl() calls, but we need
a cpu_to_be64 conversion instead (reg 1, 8, 8).

Without this a rule like 'ct original packets > 10'
matched when counter was between 1 and 10.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/netlink_linearize.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 48f5f02..c77c462 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -592,6 +592,14 @@ static void netlink_gen_unary(struct netlink_linearize_ctx *ctx,
 			      enum nft_registers dreg)
 {
 	struct nftnl_expr *nle;
+	int byte_size;
+
+	if ((expr->arg->len % 64) == 0)
+		byte_size = 8;
+	else if ((expr->arg->len % 32) == 0)
+		byte_size = 4;
+	else
+		byte_size = 2;
 
 	netlink_gen_expr(ctx, expr->arg, dreg);
 
@@ -601,7 +609,7 @@ static void netlink_gen_unary(struct netlink_linearize_ctx *ctx,
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_BYTEORDER_LEN,
 			   expr->len / BITS_PER_BYTE);
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_BYTEORDER_SIZE,
-			   expr->arg->len % 32 ? 2 : 4);
+			   byte_size);
 	nftnl_expr_set_u32(nle, NFTNL_EXPR_BYTEORDER_OP,
 			   netlink_gen_unary_op(expr->op));
 	nftnl_rule_add_expr(ctx->nlr, nle);
-- 
2.4.10

[PATCH nft 5/6] ct regression tests for bytes, packets

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/py/any/ct.t         |  9 +++++++++
 tests/py/any/ct.t.payload | 19 +++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index a0a2590..4c27c90 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -110,6 +110,15 @@ ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x1278563
 ct direction . ct mark { original . 0x12345678};ok
 ct state . ct mark vmap { new . 0x12345678 : drop};ok
 
+ct original bytes \> 100000;ok;ct original bytes > 100000
+ct reply packets \< 100;ok;ct reply packets < 100
+ct bytes \> 100000;ok;ct bytes > 100000
+
+# bogus direction
+ct both bytes gt 1;fail
+# nonsensical
+ct bytes original reply;fail
+
 # missing direction
 ct saddr 1.2.3.4;fail
 
diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index 651b644..8ca92b2 100644
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -286,3 +286,22 @@ ip test-ip4 output
   [ meta load mark => reg 1 ]
   [ lookup reg 1 set map%d dreg 1 ]
   [ ct set mark with reg 1 ]
+
+# ct original bytes \> 100000
+ip test-ip4 output
+  [ ct load bytes => reg 1 , dir original ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp gt reg 1 0x00000000 0xa0860100 ]
+
+# ct reply packets \< 100
+ip test-ip4 output
+  [ ct load packets => reg 1 , dir reply ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp lt reg 1 0x00000000 0x64000000 ]
+
+# ct bytes \> 100000
+ip test-ip4 output
+  [ ct load bytes => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp gt reg 1 0x00000000 0xa0860100 ]
+
-- 
2.4.10

[PATCH nft 6/6] tests: ct: remove BUG cases that work with current master

[Florian Westphal]

We have tests for these in ip/ct.t.
(can't use ipv4 addresses e.g. in ipv6 family, thats why any/ct.t doesn't work)

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/py/any/ct.t | 33 ---------------------------------
 1 file changed, 33 deletions(-)

diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 4c27c90..14be798 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -67,44 +67,11 @@ ct expiration != 33-45;ok;ct expiration != 33s-45s
 ct expiration {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
 - ct expiration != {33, 55, 67, 88};ok;ct expiration { 1m7s, 33s, 55s, 1m28s}
 ct expiration {33-55};ok;ct expiration { 33s-55s}
-# BUG: ct expiration {33-55}
-# Broken output: ct expiration { "4271d23h25m52s"-"8738d3h11m59s" }
 - ct expiration != {33-55};ok
 
 ct helper "ftp";ok
 ct helper "12345678901234567";fail
 
-# BUG: ct l3proto "Layer  3 protocol of the connection"
-# nft add rule ip test input ct l3proto arp
-# <cmdline>:1:35-37: Error: Can t parse symbolic invalid expressions
-
-
-# If table is ip6 or inet or bridge family,, It is failed. I can not test it
-# ct saddr 1.2.3.4;ok
-
-# BUG: ct saddr 192.168.3.4
-# <cmdline>:1:1-43: Error: Could not process rule: Invalid argument
-# add rule ip test input ct saddr 192.168.3.4
-# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-- ct saddr 192.168.3.4;ok
-- ct daddr 192.168.3.4;ok
-
-# BUG: ct protocol tcp
-# <cmdline>:1:1-37: Error: Could not process rule: Invalid argument
-# input ct protocol bgp <cmdline>:1:36-38: Error: Could not resolve protocol name
-# ct protocol tcp;ok
-- ct protocol tcp;ok
-
-- ct proto-src udp;ok
-- ct proto-dst udp;ok
-# BUG: ct proto-src udp and ct proto-dst udp
-# <cmdline>:1:37-39: Error: datatype mismatch, expected invalid, expression has type Internet protocol
-# add rule ip test input ct proto-src udp
-#                       ~~~~~~~~~~~~ ^^^
-# <cmdline>:1:37-39: Error: datatype mismatch, expected invalid, expression has type Internet protocol
-# add rule ip test input ct proto-dst udp
-#                        ~~~~~~~~~~~~ ^^^
-
 ct state . ct mark { new . 0x12345678};ok
 ct state . ct mark { new . 0x12345678, new . 0x34127856, established . 0x12785634};ok
 ct direction . ct mark { original . 0x12345678};ok
-- 
2.4.10

Re: [PATCH nft 0/6] add support for conntrack counters

[Pablo Neira Ayuso]

On Fri, Jan 08, 2016 at 10:42:45AM +0100, Florian Westphal wrote:
> Adds support for tests like
> 
> ct original packets > 10
> ct reply packets > 10
> ct packets > 10
> 
> The latter returns the counter for both original and reply (i.e. sum).
> 
> Needs the two kernel patches:
> nftables: ct: add byte/packet counter support
> nftables: byteorder: provide le/be 64 bit conversion helper
> 
> That were posted earlier.  Let me know if you spot issues.

I'd suggest you go push this.

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

Thanks!