On Wed, 22 Mar 2017 17:25:57 +0100
Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Sat, Mar 18, 2017 at 12:59:18AM +0000, Robert White wrote:
> > So this doesn't rate a bug, but it did confuse me.
> >
> > Flow tables are always named, but they don't conform to the way sets, maps,
> > and dictionaries work in terms of "add" and "delete" and all that.
> >
> > They are also "flow tables" instead of one word like "flows" or "throttle"
> > or something.
> >
> > It seems weird to just have these break the syntactic expectations.
> >
> > I think, long-term, that picking a one word designator like "rate" or
> > "gauge" and making them syntactically similar to sets with a type and flags
> > at the table level, and using @name syntax or having them be unnamed in
> > place, would make much more sense.
> >
> > It's especially confusing since "list map tablename mapname" and "list flow
> > table tablename flowname" are so similar in function but have a different
> > word count and are not orthogonal to add and delete and clear etc.
> >
> > So if they were just like sets this would be so much less confusing.
> >
> > table ip example {
> > gauge dhcp_throttle {
> > type ipv4_addr . inet_service
> > flags whatever, whateverelse
> > }
>
> This would provide a way to restore flow table between reboots, so we
> could even per populate them with elements.
>
> > chain dhcp_traffic {
> > gauge { ip saddr limit over 200/day } drop
> > gauge @dhcp_throttle { ip saddr . udp dport limit 3/second } accept
>
> This would resolve the inconsistency, yes.
>
> I would still stick to 'flow table' instead of 'gauge'. I was never
> comfortable with the fact that we overload 'table' with more semantics
> (given we already have tables in nf_tables).
Instead of gauge, would meter, track, watch, or measure work better (and be a little more self-documenting)?
N
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
