Re: [PATCH] ipset: Update byte and packet counters regardless of whether they match

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jozsef,

On Tue, 25 Feb 2020 09:07:09 +0100 (CET)
Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx> wrote:

> Hi Stefano MithilMithil,
> 
> On Mon, 24 Feb 2020, Stefano Brivio wrote:
> 
> > In ip_set_match_extensions(), for sets with counters, we take care of 
> > updating counters themselves by calling ip_set_update_counter(), and of 
> > checking if the given comparison and values match, by calling 
> > ip_set_match_counter() if needed.
> > 
> > However, if a given comparison on counters doesn't match the configured 
> > values, that doesn't mean the set entry itself isn't matching.
> > 
> > This fix restores the behaviour we had before commit 4750005a85f7 
> > ("netfilter: ipset: Fix "don't update counters" mode when counters used 
> > at the matching"), without reintroducing the issue fixed there: back 
> > then, mtype_data_match() first updated counters in any case, and then 
> > took care of matching on counters.
> > 
> > Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set,
> > ip_set_update_counter() will anyway skip counter updates if desired.
> > 
> > The issue observed is illustrated by this reproducer:
> > 
> >   ipset create c hash:ip counters
> >   ipset add c 192.0.2.1
> >   iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP
> > 
> > if we now send packets from 192.0.2.1, bytes and packets counters
> > for the entry as shown by 'ipset list' are always zero, and, no
> > matter how many bytes we send, the rule will never match, because
> > counters themselves are not updated.  
> 
> Sorry, but I disagree. ipset behaves the same as iptables itself: the 
> counters are increased when the whole rule matches and that includes the 
> counter comparison as well. I think it's less counter-intuitive that one 
> can create never matching rules than to explain that "counter matching is 
> a non-match for the point of view of 'when the rule matches, update the 
> counter'".

Note that this behaviour was modified two years ago: earlier, this was
not the case (and by the way this is how we found out, as it broke a
user setup).

Other than this, I'm a bit confused. How could --packets-gt and
--bytes-gt be used, if counters don't increase as long as the rule
doesn't match?

> What's really missing is a decrement-counters flag: that way one could 
> store different "quotas" for the elements in a set.

I see, that would work as well.

-- 
Stefano
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux