Hi Stefano, On Tue, 25 Feb 2020, Stefano Brivio wrote: > > > The issue observed is illustrated by this reproducer: > > > > > > ipset create c hash:ip counters > > > ipset add c 192.0.2.1 > > > iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP > > > > > > if we now send packets from 192.0.2.1, bytes and packets counters > > > for the entry as shown by 'ipset list' are always zero, and, no > > > matter how many bytes we send, the rule will never match, because > > > counters themselves are not updated. > > > > Sorry, but I disagree. ipset behaves the same as iptables itself: the > > counters are increased when the whole rule matches and that includes the > > counter comparison as well. I think it's less counter-intuitive that one > > can create never matching rules than to explain that "counter matching is > > a non-match for the point of view of 'when the rule matches, update the > > counter'". > > Note that this behaviour was modified two years ago: earlier, this was > not the case (and by the way this is how we found out, as it broke a > user setup). That's really bad. Still, I think it was a bug earlier which was then fixed. The logic could be changed in the user rules from iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP to iptables -I INPUT -m set --match-set c src --bytes-lt 800 -j ACCEPT [ otherwise DROP ] but of course it might be not so simple, depending on how the rules are built up. > Other than this, I'm a bit confused. How could --packets-gt and > --bytes-gt be used, if counters don't increase as long as the rule > doesn't match? I almost added to my previous mail that the 'ge' and 'gt' matches are not really useful at the moment... > > What's really missing is a decrement-counters flag: that way one could > > store different "quotas" for the elements in a set. > > I see, that would work as well. The other possibility is to force counter update. I.e. instead of iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP something like iptables -I INPUT -m set --match-set c src --update-counters \ --bytes-gt 800 -j DROP but that also requires some internal changes to store a new flag, because at the moment only "! --update-counters" is supported. So there'd be then a fine-grained control over how the counters are updated: - no --update-counters flag: update counters only if the whole rule matches, including the counter matches - --update-counters flag: update counters if counter matching is false - ! --update-counters flag: don't update counters Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
