Am 1. April 2021 20:14:14 MESZ schrieb Florian Westphal <fw@xxxxxxxxx>:
>Frank Wunderlich <frank-w@xxxxxxxxxxxxxxx> wrote:
>> my rules-file looks like this now (just for anybody wants do do
>similar):
>>
>> table ip filter {
>> ...
>> chain FORWARD {
>> type filter hook forward priority 0; policy drop;
>> #...
>> ip saddr $ipvoipbox udp dport 5160 counter name voip1 comment
>"counting packets for SIP1"
>> ip daddr $ipvoipbox udp dport 5160 counter name voip1 comment
>"counting packets for SIP1"
>> ip saddr $ipvoipbox udp sport 5161 counter name voip2 comment
>"counting packets for SIP2"
>> ip daddr $ipvoipbox udp dport 5161 counter name voip2 comment
>"counting packets for SIP2"
>> #...
>> }
>
>For two counters it makes no difference but note that you can combine
>named counters with maps:
>
>map voipcounters {
> type ipv4_addr . inet_service : counter
> elements = { 10.0.1.1 . 5160 : "voip1", 10.2.1.1 . 5161 : ...
>
>and then count with one rule only:
>
>counter name ip saddr . udp dport map @voipcounters
Have seen maps,but have not understood them :(
The ip is always same ($ipvoipbox),only port differs (sip1+sip2) and this bidirectional (saddr/daddr,sport/dport) to catch traffic from/to this ip separated by sip-streams.
Your example seems to match only source-addr and destination port.
Maybe its possible to match "addr" (saddr or daddr) and "port" (sport or dport),so i can have only 2 rules...with map maybe only 1
Maybe i can do further protocol filtering (filter out registrations to not count failed registrations,only working traffic).
>> one thing:
>>
>> # nft list counter filter voip2
>> table ip mangle {
>> }
>> table ip nat {
>> }
>> table ip filter {
>> counter voip2 {
>> packets 124 bytes 7440
>> }
>> }
>
>Can't repro so looks like this is already fixed.
>
>> tables mangle and nat should not be printed (still have them
>separately from converting iptables to nft)...in json-format it is
>right
>
>Yes, they should not be printed.
I try this again with upstream nft
Hi,
regards Frank
