From e3ec9362f0edad08834cb8ba66bc45fdb0bf33f5 Mon Sep 17 00:00:00 2001 From: Liping Zhang Date: Sun, 25 Dec 2016 20:12:55 +0800 Subject: ct: add average bytes per packet counter support Similar to connbytes extension in iptables, now you can use it to match average bytes per packet a connection has transferred so far. For example, match avgpkt in "BOTH" diretion: # nft add rule x y ct avgpkt \> 100 Match avgpkt in reply direction: # nft add rule x y ct reply avgpkt \< 900 Or match avgpkt in original direction: # nft add rule x y ct original avgpkt \> 200 Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- doc/nft.xml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'doc/nft.xml') diff --git a/doc/nft.xml b/doc/nft.xml index 8026d85f..a4212784 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2112,9 +2112,9 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 There are three types of conntrack expressions. Some conntrack expressions require the flow - direction before the conntrack key, others must be used directly because they are - direction agnostic. The packets and bytes keywords can be used - with or without a direction. If the direction is omitted, the sum of the original and the reply + direction before the conntrack key, others must be used directly because they are direction agnostic. + The packets, bytes and avgpkt keywords can be + used with or without a direction. If the direction is omitted, the sum of the original and the reply direction is returned. @@ -2132,6 +2132,7 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 protocol bytes packets + avgpkt @@ -2149,6 +2150,7 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 proto-dst bytes packets + avgpkt @@ -2242,6 +2244,11 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 bytecount seen, see description for packets keyword integer (64 bit) + + avgpkt + average bytes per packet, see description for packets keyword + integer (64 bit) + -- cgit v1.2.3