Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> This patchset introduces the named stateful expressions for nf_tables,
> that allows userspace to set a name for the stateful expression for
> several reasons:
>
> * Provide a unique identifier to fetch and reset it internal state.
> * Allow to update of their parameters and internal state.
> * Allow to fetch and reset its internal state.
> * Refer to the same stateful expression from one or more rules.
>
Can't all of this be achieved via custom chains already...?
> nf_tables currently supports to stateful expressions: limit and counter,
> therefore you can create named instances of this expressions through
> this new infrastructure.
> Several examples on how this would look from userspace:
>
> * Add the 'tcp-counter' counter to the 'filter' table:
>
> # nft add counter filter tcp-counter
>
> * Delete this counter (only possible if not dereferenced from a rule):
>
> # nft delete counter filter tcp-counter
>
> * List existing named counters:
>
> # nft lists counters
> table ip filter {
> counter tcp-counter {
> packets 6086 bytes 6278052
> }
> counter udp-counter {
> packets 272 bytes 64690
> }
> counter icmp-counter {
> packets 10 bytes 840
> }
> }
Can't you already create a 'named counter' via
chain tcp-counter {
counter
}
?
Seems to me we only would have to teach nft list to
allow filtering output on chain names, e.g.
nft list table filter \*-counter
to have something similar using exsiting feature set.
> So far, only counters are supported, but it should be possible to
> support named limits. I have another (imcomplete) patch that allows to
> update the named expressions parameters, this can be useful to
> dynamically update the ratelimiting policies, the command line should
> look like:
>
> # nft update limit name user01234 rate 250 mbytes/day
Similar comment here, you could create
chain user01234 {
limit rate 100 mbytes/day
}
This feature seems strange to me, AFAIU it adds a container for single
expressions, so it just seems to be a subset of what we already have
(namely chains as containers of rules).
What am I missing? :)
Is there something that is too cumbersome to achive with a chain-based
approach?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
