From patchwork Sun Dec 25 12:12:55 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liping Zhang X-Patchwork-Id: 708716 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3tmgyc4pQmz9ryv for ; Sun, 25 Dec 2016 23:13:43 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=163.com header.i=@163.com header.b="TdVSUHQg"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753037AbcLYMNm (ORCPT ); Sun, 25 Dec 2016 07:13:42 -0500 Received: from m12-13.163.com ([220.181.12.13]:60368 "EHLO m12-13.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752798AbcLYMNl (ORCPT ); Sun, 25 Dec 2016 07:13:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=uUVEEtuAN+mh7YLMRO ObAfuZApw0awfLHatu5mexG5s=; b=TdVSUHQg034tYRpDxZ+4dQrPCSF4UdoQil XlPvQMjuM9oaTLMrZdFwCK7F3x1od8LErCuwYMkF0NsWXfJuDmdYbTM+c5iUfhdJ qDqnH78Fq7xqvsGHmA7Bxvzt5WX0SjTpf8bag6DIEULaxcpiPpxjvN0MxeCmfi5s oqKvjRh9s= Received: from MiWiFi-R2D-srv.localdomain (unknown [180.164.232.204]) by smtp9 (Coremail) with SMTP id DcCowAAH1uPdt19YR0ldEg--.50155S2; Sun, 25 Dec 2016 20:13:24 +0800 (CST) From: Liping Zhang To: pablo@netfilter.org Cc: netfilter-devel@vger.kernel.org, Liping Zhang Subject: [PATCH nft] ct: add average bytes per packet counter support Date: Sun, 25 Dec 2016 20:12:55 +0800 Message-Id: <1482667975-736-1-git-send-email-zlpnobody@163.com> X-Mailer: git-send-email 2.5.5 X-CM-TRANSID: DcCowAAH1uPdt19YR0ldEg--.50155S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxKF13XF4kKr15Ww4xKFWDXFb_yoW7tFy3pw 4rJ34vga1fWF4av3s7Cr1UuF1Y9rWv9F1YkrW5C3s8tr9xJFWvqa1fKF1jg3s5Xr1fuw47 ZFyqqFyUAF1xA3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jDzVbUUUUU= X-Originating-IP: [180.164.232.204] X-CM-SenderInfo: x2os00perg5qqrwthudrp/xtbBUQRLl1aDsiP9+gAAsK Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Liping Zhang Similar to connbytes extension in iptables, now you can use it to match average bytes per packet a connection has transferred so far. For example, match avgpkt in "BOTH" diretion: # nft add rule x y ct avgpkt \> 100 Match avgpkt in reply direction: # nft add rule x y ct reply avgpkt \< 900 Or match avgpkt in original direction: # nft add rule x y ct original avgpkt \> 200 Signed-off-by: Liping Zhang --- doc/nft.xml | 13 ++++++++++--- include/linux/netfilter/nf_tables.h | 5 +++++ src/ct.c | 2 ++ src/parser_bison.y | 2 ++ src/scanner.l | 1 + tests/py/any/ct.t | 3 +++ tests/py/any/ct.t.payload | 12 ++++++++++++ 7 files changed, 35 insertions(+), 3 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index 8026d85..a421278 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -2112,9 +2112,9 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 There are three types of conntrack expressions. Some conntrack expressions require the flow - direction before the conntrack key, others must be used directly because they are - direction agnostic. The packets and bytes keywords can be used - with or without a direction. If the direction is omitted, the sum of the original and the reply + direction before the conntrack key, others must be used directly because they are direction agnostic. + The packets, bytes and avgpkt keywords can be + used with or without a direction. If the direction is omitted, the sum of the original and the reply direction is returned. @@ -2132,6 +2132,7 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 protocol bytes packets + avgpkt @@ -2149,6 +2150,7 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 proto-dst bytes packets + avgpkt @@ -2242,6 +2244,11 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1 bytecount seen, see description for packets keyword integer (64 bit) + + avgpkt + average bytes per packet, see description for packets keyword + integer (64 bit) + diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index f030e59..031c119 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -845,6 +845,10 @@ enum nft_rt_attributes { * @NFT_CT_PROTOCOL: conntrack layer 4 protocol * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination + * @NFT_CT_LABELS: conntrack labels + * @NFT_CT_PKTS: conntrack packets + * @NFT_CT_BYTES: conntrack bytes + * @NFT_CT_AVGPKT: conntrack average bytes per packet */ enum nft_ct_keys { NFT_CT_STATE, @@ -863,6 +867,7 @@ enum nft_ct_keys { NFT_CT_LABELS, NFT_CT_PKTS, NFT_CT_BYTES, + NFT_CT_AVGPKT, }; /** diff --git a/src/ct.c b/src/ct.c index d079289..31c7a4b 100644 --- a/src/ct.c +++ b/src/ct.c @@ -232,6 +232,8 @@ static const struct ct_template ct_templates[] = { BYTEORDER_HOST_ENDIAN, 64), [NFT_CT_PKTS] = CT_TEMPLATE("packets", &integer_type, BYTEORDER_HOST_ENDIAN, 64), + [NFT_CT_AVGPKT] = CT_TEMPLATE("avgpkt", &integer_type, + BYTEORDER_HOST_ENDIAN, 64), }; static void ct_expr_print(const struct expr *expr) diff --git a/src/parser_bison.y b/src/parser_bison.y index deaaf06..d2e6c17 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -363,6 +363,7 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token COUNTER "counter" %token PACKETS "packets" %token BYTES "bytes" +%token AVGPKT "avgpkt" %token LOG "log" %token PREFIX "prefix" @@ -2700,6 +2701,7 @@ ct_key_dir : SADDR { $$ = NFT_CT_SRC; } ct_key_counters : BYTES { $$ = NFT_CT_BYTES; } | PACKETS { $$ = NFT_CT_PKTS; } + | AVGPKT { $$ = NFT_CT_AVGPKT; } ; ct_stmt : CT ct_key SET expr diff --git a/src/scanner.l b/src/scanner.l index 625023f..4aaf2bb 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -292,6 +292,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "counter" { return COUNTER; } "packets" { return PACKETS; } "bytes" { return BYTES; } +"avgpkt" { return AVGPKT; } "log" { return LOG; } "prefix" { return PREFIX; } diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t index 76be185..2cfbfe1 100644 --- a/tests/py/any/ct.t +++ b/tests/py/any/ct.t @@ -80,6 +80,9 @@ ct original bytes \> 100000;ok;ct original bytes > 100000 ct reply packets \< 100;ok;ct reply packets < 100 ct bytes \> 100000;ok;ct bytes > 100000 +ct avgpkt \> 200;ok;ct avgpkt > 200 +ct original avgpkt \< 500;ok;ct original avgpkt < 500 + # bogus direction ct both bytes gt 1;fail # nonsensical diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload index 90fce9f..3370bca 100644 --- a/tests/py/any/ct.t.payload +++ b/tests/py/any/ct.t.payload @@ -361,6 +361,18 @@ ip test-ip4 output [ byteorder reg 1 = hton(reg 1, 8, 8) ] [ cmp gt reg 1 0x00000000 0xa0860100 ] +# ct avgpkt \> 200 +ip test-ip4 output + [ ct load avgpkt => reg 1 ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp gt reg 1 0x00000000 0xc8000000 ] + +# ct original avgpkt \< 500 +ip test-ip4 output + [ ct load avgpkt => reg 1 , dir original ] + [ byteorder reg 1 = hton(reg 1, 8, 8) ] + [ cmp lt reg 1 0x00000000 0xf4010000 ] + # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying ip test-ip4 output [ ct load status => reg 1 ]