From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft 7/7] nft: add flow statement
Date: Wed, 27 Apr 2016 18:37:27 +0200 [thread overview]
Message-ID: <20160427163727.GA2006@salvia> (raw)
In-Reply-To: <1461756590-22880-8-git-send-email-kaber@trash.net>
On Wed, Apr 27, 2016 at 12:29:50PM +0100, Patrick McHardy wrote:
> The flow statement allows to instantiate per flow statements for user
> defined flows. This can so far be used for per flow accounting or limiting,
> similar to what the iptables hashlimit provides. Flows can be aged using
> the timeout option.
>
> Examples:
>
> # nft filter input flow ip saddr . tcp dport limit rate 10/second
> # nft filter input flow table acct iif . ip saddr timeout 60s counter
I think you have to update this syntax to:
# nft add rule filter input \
flow { ip saddr . tcp dport limit rate 10/second }
^ ^
# nft add rule filter input \
flow table acct { iif . ip saddr timeout 60s counter }
^ ^
so the idea is to wrap this around brackets.
When playing around with this in your initial patchset I found very
confusing that it may not look obvious to users that they can only use
one single statement.
For example:
# nft add rule filter input \
flow table acct iif . ip saddr timeout 60s counter limit rate 10/second
~~~~~~~~~~~~~~~~~~~~
Note that this limit rate applies globally.
This may cause us problems in the future too if we extend this to
support more than one single statement per flowtable entry (Not
telling we need this now, but if someone comes up with a useful
usecase, we should be capable of extending this).
next prev parent reply other threads:[~2016-04-27 16:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-27 11:29 [PATCH nft 0/7] flow statement Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 1/7] netlink: make dump functions object argument constant Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 2/7] set: allow non-constant implicit set declarations Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 3/7] set: explicitly supply name to " Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 4/7] tests: update for changed set name Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 5/7] netlink_delinearize: support parsing statements not contained within a rule Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 6/7] stmt: support generating stateful statements outside of rule context Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 7/7] nft: add flow statement Patrick McHardy
2016-04-27 16:37 ` Pablo Neira Ayuso [this message]
2016-05-13 18:12 ` [PATCH nft 0/7] " Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160427163727.GA2006@salvia \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).