bugzilla-daemon at netfilter.org
2020-Feb-28 09:58 UTC
[Bug 1411] New: add elements with counter to dynamic sets with
https://bugzilla.netfilter.org/show_bug.cgi?id=1411 Bug ID: 1411 Summary: add elements with counter to dynamic sets with Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz Few years ago I have proposed hit counters to set items: https://bugzilla.netfilter.org/show_bug.cgi?id=1185 Now when we have dynamic sets that replaced meters, and lookups are already allowed for these sets, maybe it is a time to add "hit" counters in set items, which will increase by 1 when lookup is successful. Meters (dynamic sets) already have "add/update" counters, so you can see how many times given item was added/updated. But when you add this item manually and not from packet path, this counter is missing: ********************** # setup dynamic set nft add table t nft add chain t c { type filter hook input priority 0\; } nft add set t dynset { type ipv4_addr\; flags dynamic\; } nft add rule t c add @dynset { ip saddr counter } # ping 8.8.8.8 ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=6.05 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=5.05 ms ^C # list dynamic set, see "add" counter nft list set t dynset table ip t { set dynset { type ipv4_addr size 65535 flags dynamic elements = { 8.8.8.8 counter packets 2 bytes 168 } } } # now add set item manually nft add element t dynset { 8.8.4.4 } # ping 8.8.4.4 ping 8.8.4.4 PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data. 64 bytes from 8.8.4.4: icmp_seq=1 ttl=50 time=4.91 ms 64 bytes from 8.8.4.4: icmp_seq=2 ttl=50 time=6.70 ms ^C # and list dynamic set again, see counter is missing from manually added item nft list set t dynset table ip t { set dynset { type ipv4_addr size 65535 flags dynamic elements = { 8.8.4.4, 8.8.8.8 counter packets 2 bytes 168 } } } ********************** For me it looks like inconsistency. Manually added items should have counters too. So all elements in dynamic sets should have "add/update" counters regardless of how they were added to set (from packet path or manually). And I am again proposing "hit" counters to set items, maybe with flag "counter". Actually ideal solution would be to have two counter set/map flags: hit counter - +1 when successful lookup add counter - +1 when add/update (regardless if manually or from packet path) It would apply to all sets/maps, not even dynamic ones. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200228/d22d3510/attachment.html>
bugzilla-daemon at netfilter.org
2020-Feb-28 10:01 UTC
[Bug 1411] add elements with counter to dynamic sets
https://bugzilla.netfilter.org/show_bug.cgi?id=1411 Karel Rericha <karel at unitednetworks.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|add elements with counter |add elements with counter |to dynamic sets with |to dynamic sets -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200228/775c8e58/attachment.html>
bugzilla-daemon at netfilter.org
2020-Mar-24 12:38 UTC
[Bug 1411] add elements with counter to dynamic sets
https://bugzilla.netfilter.org/show_bug.cgi?id=1411 --- Comment #1 from Karel Rericha <karel at unitednetworks.cz> --- Thanks to recent patches Pablo commited to nftables and kernel I already closed related bug https://bugzilla.netfilter.org/show_bug.cgi?id=1185 Looks like this one will be satisfied too, but I will leave it open until I will be able to test it (kernel 5.7?). -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200324/a2cfd73d/attachment.html>
bugzilla-daemon at netfilter.org
2020-Apr-15 21:20 UTC
[Bug 1411] add elements with counter to dynamic sets
https://bugzilla.netfilter.org/show_bug.cgi?id=1411 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Karel Rericha from comment #1)> Looks like this one will be satisfied too, but I will leave it open until I > will be able to test it (kernel 5.7?).That's fine, thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200415/e4e87602/attachment.html>
Maybe Matching Threads
- [Bug 1185] New: counter flag proposal for sets and maps
- [Bug 1382] New: nftables.py cmd leaking memory when ruleset contain mapping ip length to range with high limit 65535
- [Bug 1184] New: disable implicit concatenating of elements of sets with flag interval
- [Bug 1386] New: nftables.py cmd doesn't read updated counter values after first read
- [Bug 1180] New: Can't create a set with both timeout and interval flags at the same time