ct: add average bytes per packet counter support

Similar to connbytes extension in iptables, now you can use it to match
average bytes per packet a connection has transferred so far.

For example, match avgpkt in "BOTH" diretion:
  # nft add rule x y ct avgpkt \> 100

Match avgpkt in reply direction:
  # nft add rule x y ct reply avgpkt \< 900

Or match avgpkt in original direction:
  # nft add rule x y ct original avgpkt \> 200

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

2 files changed, 15 insertions, 0 deletions

diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 76be185a..2cfbfe13 100644
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -80,6 +80,9 @@ ct original bytes \> 100000;ok;ct original bytes > 100000
 ct reply packets \< 100;ok;ct reply packets < 100
 ct bytes \> 100000;ok;ct bytes > 100000
 
+ct avgpkt \> 200;ok;ct avgpkt > 200
+ct original avgpkt \< 500;ok;ct original avgpkt < 500
+
 # bogus direction
 ct both bytes gt 1;fail
 # nonsensical
diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index 90fce9ff..3370bcac 100644
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -361,6 +361,18 @@ ip test-ip4 output
   [ byteorder reg 1 = hton(reg 1, 8, 8) ]
   [ cmp gt reg 1 0x00000000 0xa0860100 ]
 
+# ct avgpkt \> 200
+ip test-ip4 output
+  [ ct load avgpkt => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp gt reg 1 0x00000000 0xc8000000 ]
+
+# ct original avgpkt \< 500
+ip test-ip4 output
+  [ ct load avgpkt => reg 1 , dir original ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp lt reg 1 0x00000000 0xf4010000 ]
+
 # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying
 ip test-ip4 output
   [ ct load status => reg 1 ]