From e3ec9362f0edad08834cb8ba66bc45fdb0bf33f5 Mon Sep 17 00:00:00 2001 From: Liping Zhang Date: Sun, 25 Dec 2016 20:12:55 +0800 Subject: ct: add average bytes per packet counter support Similar to connbytes extension in iptables, now you can use it to match average bytes per packet a connection has transferred so far. For example, match avgpkt in "BOTH" diretion: # nft add rule x y ct avgpkt \> 100 Match avgpkt in reply direction: # nft add rule x y ct reply avgpkt \< 900 Or match avgpkt in original direction: # nft add rule x y ct original avgpkt \> 200 Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- tests/py/any/ct.t | 3 +++ tests/py/any/ct.t.payload | 12 ++++++++++++ 2 files changed, 15 insertions(+) (limited to 'tests/py/any') diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index 76be185a..2cfbfe13 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -80,6 +80,9 @@ ct original bytes \> 100000;ok;ct original bytes > 100000 ct reply packets \< 100;ok;ct reply packets < 100 ct bytes \> 100000;ok;ct bytes > 100000 +ct avgpkt \> 200;ok;ct avgpkt > 200 +ct original avgpkt \< 500;ok;ct original avgpkt < 500 + # bogus direction ct both bytes gt 1;fail # nonsensical diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload index 90fce9ff..3370bcac 100644 --- a/tests/py/any/ct.t.payload +++ b/tests/py/any/ct.t.payload @@ -361,6 +361,18 @@ ip test-ip4 output [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp gt reg 1 0x00000000 0xa0860100 ] +# ct avgpkt \> 200 +ip test-ip4 output + [ ct load avgpkt => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp gt reg 1 0x00000000 0xc8000000 ] + +# ct original avgpkt \< 500 +ip test-ip4 output + [ ct load avgpkt => reg 1 , dir original ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp lt reg 1 0x00000000 0xf4010000 ] + # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying ip test-ip4 output [ ct load status => reg 1 ] -- cgit v1.2.3