diff options
author | Liping Zhang <zlpnobody@163.com> | 2016-12-25 20:12:55 +0800 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-01-16 14:09:47 +0100 |
commit | e3ec9362f0edad08834cb8ba66bc45fdb0bf33f5 (patch) | |
tree | 383e1e10a0787e0cf10477cc493a8ea9a9ebb458 | |
parent | 5d6e721c8fe31e14ddedb1a642553d072ec99bd1 (diff) |
ct: add average bytes per packet counter support
Similar to connbytes extension in iptables, now you can use it to match
average bytes per packet a connection has transferred so far.
For example, match avgpkt in "BOTH" diretion:
# nft add rule x y ct avgpkt \> 100
Match avgpkt in reply direction:
# nft add rule x y ct reply avgpkt \< 900
Or match avgpkt in original direction:
# nft add rule x y ct original avgpkt \> 200
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | doc/nft.xml | 13 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 5 | ||||
-rw-r--r-- | src/ct.c | 2 | ||||
-rw-r--r-- | src/parser_bison.y | 2 | ||||
-rw-r--r-- | src/scanner.l | 1 | ||||
-rw-r--r-- | tests/py/any/ct.t | 3 | ||||
-rw-r--r-- | tests/py/any/ct.t.payload | 12 |
7 files changed, 35 insertions, 3 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index 8026d85f..a4212784 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2112,9 +2112,9 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 </para> <para> There are three types of conntrack expressions. Some conntrack expressions require the flow - direction before the conntrack key, others must be used directly because they are - direction agnostic. The <command>packets<command> and </command>bytes</command> keywords can be used - with or without a direction. If the direction is omitted, the sum of the original and the reply + direction before the conntrack key, others must be used directly because they are direction agnostic. + The <command>packets</command>, <command>bytes</command> and <command>avgpkt</command> keywords can be + used with or without a direction. If the direction is omitted, the sum of the original and the reply direction is returned. </para> <para> @@ -2132,6 +2132,7 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 <arg>protocol</arg> <arg>bytes</arg> <arg>packets</arg> + <arg>avgpkt</arg> </group> </cmdsynopsis> <cmdsynopsis> @@ -2149,6 +2150,7 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 <arg>proto-dst</arg> <arg>bytes</arg> <arg>packets</arg> + <arg>avgpkt</arg> </group> </cmdsynopsis> </para> @@ -2242,6 +2244,11 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 <entry>bytecount seen, see description for <command>packets</command> keyword</entry> <entry>integer (64 bit)</entry> </row> + <row> + <entry>avgpkt</entry> + <entry>average bytes per packet, see description for <command>packets</command> keyword</entry> + <entry>integer (64 bit)</entry> + </row> </tbody> </tgroup> </table> diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 881d49e9..b00a05d1 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -860,6 +860,10 @@ enum nft_rt_attributes { * @NFT_CT_PROTOCOL: conntrack layer 4 protocol * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination + * @NFT_CT_LABELS: conntrack labels + * @NFT_CT_PKTS: conntrack packets + * @NFT_CT_BYTES: conntrack bytes + * @NFT_CT_AVGPKT: conntrack average bytes per packet */ enum nft_ct_keys { NFT_CT_STATE, @@ -878,6 +882,7 @@ enum nft_ct_keys { NFT_CT_LABELS, NFT_CT_PKTS, NFT_CT_BYTES, + NFT_CT_AVGPKT, }; /** @@ -232,6 +232,8 @@ static const struct ct_template ct_templates[] = { BYTEORDER_HOST_ENDIAN, 64), [NFT_CT_PKTS] = CT_TEMPLATE("packets", &integer_type, BYTEORDER_HOST_ENDIAN, 64), + [NFT_CT_AVGPKT] = CT_TEMPLATE("avgpkt", &integer_type, + BYTEORDER_HOST_ENDIAN, 64), }; static void ct_expr_print(const struct expr *expr) diff --git a/src/parser_bison.y b/src/parser_bison.y index be662e4d..4749c9fa 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -362,6 +362,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token NAME "name" %token PACKETS "packets" %token BYTES "bytes" +%token AVGPKT "avgpkt" %token COUNTERS "counters" %token QUOTAS "quotas" @@ -2945,6 +2946,7 @@ ct_key_dir : SADDR { $$ = NFT_CT_SRC; } ct_key_counters : BYTES { $$ = NFT_CT_BYTES; } | PACKETS { $$ = NFT_CT_PKTS; } + | AVGPKT { $$ = NFT_CT_AVGPKT; } ; ct_stmt : CT ct_key SET expr diff --git a/src/scanner.l b/src/scanner.l index 6b441b54..d0d25ea9 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -294,6 +294,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "name" { return NAME; } "packets" { return PACKETS; } "bytes" { return BYTES; } +"avgpkt" { return AVGPKT; } "counters" { return COUNTERS; } "quotas" { return QUOTAS; } diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index 76be185a..2cfbfe13 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -80,6 +80,9 @@ ct original bytes \> 100000;ok;ct original bytes > 100000 ct reply packets \< 100;ok;ct reply packets < 100 ct bytes \> 100000;ok;ct bytes > 100000 +ct avgpkt \> 200;ok;ct avgpkt > 200 +ct original avgpkt \< 500;ok;ct original avgpkt < 500 + # bogus direction ct both bytes gt 1;fail # nonsensical diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload index 90fce9ff..3370bcac 100644 --- a/tests/py/any/ct.t.payload +++ b/tests/py/any/ct.t.payload @@ -361,6 +361,18 @@ ip test-ip4 output [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp gt reg 1 0x00000000 0xa0860100 ] +# ct avgpkt \> 200 +ip test-ip4 output + [ ct load avgpkt => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp gt reg 1 0x00000000 0xc8000000 ] + +# ct original avgpkt \< 500 +ip test-ip4 output + [ ct load avgpkt => reg 1 , dir original ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp lt reg 1 0x00000000 0xf4010000 ] + # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying ip test-ip4 output [ ct load status => reg 1 ] |