Hi,
On 04/06/2016 06:51 PM, Pablo Neira Ayuso wrote:
Hi,
This patchset introduces the named stateful expressions for nf_tables,
that allows userspace to set a name for the stateful expression for
several reasons:
* Provide a unique identifier to fetch and reset it internal state.
* Allow to update of their parameters and internal state.
* Allow to fetch and reset its internal state.
* Refer to the same stateful expression from one or more rules.
Would this support to have rules based on the value of a counter and/or
the current rate (like quotas in nfacct)?
something like this:
nft add rule filter tcp-chain counter name tcp-counter bytes > 10000 jump deny
A more realistic setup might more look like:
table ip filter {
counter counter-user1234 {
packets 6086 bytes 6278052
}
chain chain-user1234 {
counter name counter-user1234
counter name counter-user1234 > 10000000 goto chain-user1234-overlimit
counter name counter-user1234 > 500000 goto rate-limit
accept
}
chain chain-user1234-overlimit {
do-once notify userspace somehow
reject
}
}
As far as I know there is currently no mechanism in nft that could do
the "do-once notify userspace somehow", or is there???
The other issue I have with such a scheme that it requires lots of chains per
client and might limit the number of clients that could be supported.
Regards
Andreas
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
