Re: bug report and future request

Martin Zaharinov <micron10@xxxxxxxxx> · Tue, 22 Mar 2022 09:14:18 +0200

Hi Florian

Look good this config but not work after set user not limit by speed.

table inet nft-qos-static {
        set limit_ul {
                typeof ip saddr
                flags dynamic
                elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
        }
		set limit_dl {
                typeof ip saddr
                flags dynamic
                elements = { 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 6000 kbytes }
       }

        chain upload {
			type filter hook postrouting priority filter; policy accept;
			ip saddr @limit_ul drop
        }
		chain download {
			type filter hook prerouting priority filter; policy accept;
			ip saddr @limit_dl drop
		}
}

With this config user with ip 10.0.0.1 not limited to 5 mbytes , 

When back to this config :

table inet nft-qos-static {
	chain upload {
		type filter hook postrouting priority filter; policy accept;
		ip saddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
	}

	chain download {
		type filter hook prerouting priority filter; policy accept;
		ip daddr 10.0.0.1 limit rate over 5 mbytes/second burst 6000 kbytes drop
	}
}

User is limited  perfect.

may be i miss something?

Martin

> On 21 Mar 2022, at 23:27, Florian Westphal <fw@xxxxxxxxx> wrote:
> 
> Martin Zaharinov <micron10@xxxxxxxxx> wrote:
>> if have 1k rule
>> 
>> table inet nft-qos-static {
>>        chain upload {
>>                type filter hook postrouting priority filter; policy accept;
>>                ip saddr 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes drop
>> .........
>> ip saddr 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes drop
>>        }
> 
> 1k rules? Thats insane.  Don't do that.
> There is no need for that many rules, its also super slow.
> 
> Use a static/immutable ruleset with a named set and then add/remove elements from the set.
> 
> table inet nft-qos-static {
> 	set limit_ul {
> 		typeof ip saddr
> 		flags dynamic
> 		elements = { 10.0.0.9 limit rate over 12 mbytes/second burst 50000 kbytes, 10.0.0.254 limit rate over 12 mbytes/second burst 50000 kbytes }
> 	}
> 
> 	chain upload {
> 		type filter hook postrouting priority filter; policy accept;
> 		ip saddr @limit_ul drop
> 	}
> }
> 
> static ruleset: no need to add/delete a rule:
> 
> nft add element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes  }"
> nft delete element inet nft-qos-static limit_ul "{ 10.1.2.4 limit rate over 1 mbytes/second burst 1234 kbytes }"
> 
> You can add/delete multiple elements in { }, sepearate by ",".
> 