On Wed, Apr 27, 2016 at 12:29:43PM +0100, Patrick McHardy wrote: > The following patches add the "flow" statement to dynamically instantiate > stateful expression for each user defined flow. This can currently be used > for per flow accounting and per flow rate limiting, similar to what hashlimit > provides, but with a much more flexible definition of a flow. > > Examples: > > # Per flow accounting > $ nft filter input flow table acct ip saddr . ip daddr counter > > # Host rate limiting for each port > $ nft filter input flow ip saddr . tcp dport timeout 60s limit rate 10/second > > The tables are so far not shown in the ruleset output, but can be displayed > using "nft list set". This will not be a permanent solution, the plan is to > add new commands for flow tables that will display them in a more structured > fashion and allow sorting by individual keys or parts of the per flow statment, > f.i. the counters. However this requires some rather large changes to how > nft prints data and needs more work, so the intention is to merge this part > now and add the output part once it is finished. > > Comments and testing welcome. Series applied. I had to rebased the test updates to get this applying to current git HEAD. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
