Ipset combined entry type like hash:ip,port,ip,port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello list,

I have a use case, where I would like to save:
- src IP
- src port
- protocol
- dst IP
- dst port
- packet counter
- bytes counter

Obviously, there is obviously almost a matching type for this in ipset
hash:ip,port,ip. It just misses the destination (or source) port
depending on how you map the src and dst variables. Do I miss
something, like the possibility to concatenate entries e.g.
hash:ip,port with hash:ip,port using something like list:set? I don't
think that is the solution.
What I have is a partial workaround using two hash:ip,port,ip sets,
with one configured 'src,src,dst' and the other 'src,dst,dst' and later
combining the results - which gives the most probable quintuples.
This is less than ideal. A set in the form of hash:ip,port,ip,port
would be most helpful.

The use case is to track dynamically what client services communicated
with what server services using which protocol etc. When periodically
reading the ipset entries a reasonable monitoring of communication can
be achieved using very simple means.
The addition of entries is achieved using iptables/ nftables using:
    iptables -A FORWARD -m set ! --match-set in_conn_src src,src,dst \
    -j SET --add-set in_conn_src src,src,dst
which seems to be performant enough for my use case. (Is there any
advice concerning this?/ How efficient is this e.g. does it jump to
user space for the addition of an entry?)
The documentation seems to suggest that ipset add resets the counters.
This seems to be the case also for the -j SET target. Could you please
tell me, which code is responsible for the -j SET --add-set ?

I have the feeling, this could be a lot more efficient if the "addition
" of an already existing entry would result in the counters to be added
up. This would pretty much obviate the ! --match-set guard statement
(as shown above) and another rule just matching for accounting of the
other packets:
    iptables -A INPUT -m set --match-set in_conn_src src,src,dst

I don't know, if there is a better way using nftables with its generic
sets? Can it also add entries without jumping to user space?

Thank you for any comments on this

Adam Kalisz
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux