From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft 0/7] flow statement
Date: Fri, 13 May 2016 20:12:45 +0200 [thread overview]
Message-ID: <20160513181245.GA23428@salvia> (raw)
In-Reply-To: <1461756590-22880-1-git-send-email-kaber@trash.net>
On Wed, Apr 27, 2016 at 12:29:43PM +0100, Patrick McHardy wrote:
> The following patches add the "flow" statement to dynamically instantiate
> stateful expression for each user defined flow. This can currently be used
> for per flow accounting and per flow rate limiting, similar to what hashlimit
> provides, but with a much more flexible definition of a flow.
>
> Examples:
>
> # Per flow accounting
> $ nft filter input flow table acct ip saddr . ip daddr counter
>
> # Host rate limiting for each port
> $ nft filter input flow ip saddr . tcp dport timeout 60s limit rate 10/second
>
> The tables are so far not shown in the ruleset output, but can be displayed
> using "nft list set". This will not be a permanent solution, the plan is to
> add new commands for flow tables that will display them in a more structured
> fashion and allow sorting by individual keys or parts of the per flow statment,
> f.i. the counters. However this requires some rather large changes to how
> nft prints data and needs more work, so the intention is to merge this part
> now and add the output part once it is finished.
>
> Comments and testing welcome.
Series applied.
I had to rebased the test updates to get this applying to current git HEAD.
prev parent reply other threads:[~2016-05-13 18:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-27 11:29 [PATCH nft 0/7] flow statement Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 1/7] netlink: make dump functions object argument constant Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 2/7] set: allow non-constant implicit set declarations Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 3/7] set: explicitly supply name to " Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 4/7] tests: update for changed set name Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 5/7] netlink_delinearize: support parsing statements not contained within a rule Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 6/7] stmt: support generating stateful statements outside of rule context Patrick McHardy
2016-04-27 11:29 ` [PATCH nft 7/7] nft: add flow statement Patrick McHardy
2016-04-27 16:37 ` Pablo Neira Ayuso
2016-05-13 18:12 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160513181245.GA23428@salvia \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).