bugzilla-daemon at netfilter.org
2018-Dec-31 21:44 UTC
[Bug 1314] New: nft reset quotas does not reset anonymous quotas
https://bugzilla.netfilter.org/show_bug.cgi?id=1314 Bug ID: 1314 Summary: nft reset quotas does not reset anonymous quotas Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: dlakelan at street-artists.org supposing that I have a quota myquota then meta mark 0x123 quota named myquota will count the packets. and "nft reset quotas" will reset the quota Suppose instead I want to use an anonymous quota to drop packets meta mark 0x123 quota over 1500 mbytes drop works, but "nft reset quotas" DOES NOT reset the quota. I can reset the quota doing a complete reload "nft -f /etc/nftables.conf" for example. This is on Debian: root at pico:~# cat /proc/version Linux version 4.19.0-1-amd64 (debian-kernel at lists.debian.org) (gcc version 8.2.0 (Debian 8.2.0-12)) #1 SMP Debian 4.19.9-1 (2018-12-16) root at pico:~# nft --version nftables v0.9.0 (Fearless Fosdick) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181231/4e2bd56f/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-14 09:15 UTC
[Bug 1314] nft reset quotas does not reset anonymous quotas
https://bugzilla.netfilter.org/show_bug.cgi?id=1314 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|pablo at netfilter.org |fw at strlen.de CC| |fw at strlen.de --- Comment #1 from Florian Westphal <fw at strlen.de> --- (In reply to Daniel from comment #0)> supposing that I have a quota myquota then > > meta mark 0x123 quota named myquota > > will count the packets. and "nft reset quotas" will reset the quota > > Suppose instead I want to use an anonymous quota to drop packets > > meta mark 0x123 quota over 1500 mbytes drop > > works, but "nft reset quotas" DOES NOT reset the quota.Pablo, any suggestion? I think that resetting anon counter/quotas too makes sense, at least I'd expect it to work that way. I can have a look at this, just let me know if you agree with resetting the anon ones too. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190714/2507897e/attachment.html>
bugzilla-daemon at netfilter.org
2019-Jul-15 11:34 UTC
[Bug 1314] nft reset quotas does not reset anonymous quotas
https://bugzilla.netfilter.org/show_bug.cgi?id=1314 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |pablo at netfilter.org --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Florian Westphal from comment #1)> (In reply to Daniel from comment #0) > > supposing that I have a quota myquota then > > > > meta mark 0x123 quota named myquota > > > > will count the packets. and "nft reset quotas" will reset the quota > > > > Suppose instead I want to use an anonymous quota to drop packets > > > > meta mark 0x123 quota over 1500 mbytes drop > > > > works, but "nft reset quotas" DOES NOT reset the quota. > > Pablo, any suggestion? > I think that resetting anon counter/quotas too makes sense, > at least I'd expect it to work that way. > > I can have a look at this, just let me know if you agree with resetting > the anon ones too.This probably requires a new command, since NFT_MSG_GETOBJ_RESET assumes there is an object in place. This new anonymous object cannot be listed, so you cannot dump its content. So you cannot inspect stateful information for this anonymous quota. @Daniel: What prevents you from defining a named quota to achieve what you need? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190715/e3f77e5d/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-28 20:44 UTC
[Bug 1314] nft reset quotas does not reset anonymous quotas
https://bugzilla.netfilter.org/show_bug.cgi?id=1314 kfm at plushkava.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kfm at plushkava.net --- Comment #3 from kfm at plushkava.net --- (In reply to Florian Westphal from comment #1)> Pablo, any suggestion? > I think that resetting anon counter/quotas too makes sense, > at least I'd expect it to work that way.I found this after filing bug 1401 and am very much in agreement. I don't use quotas but I've made some suggestions in said bug that are probably as relevant to quotas as they are to counters. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/4e9c6f57/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-28 21:30 UTC
[Bug 1314] nft reset quotas does not reset anonymous quotas
https://bugzilla.netfilter.org/show_bug.cgi?id=1314 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to kfm from comment #3)> (In reply to Florian Westphal from comment #1) > > Pablo, any suggestion? > > I think that resetting anon counter/quotas too makes sense, > > at least I'd expect it to work that way. > > I found this after filing bug 1401 and am very much in agreement. I don't > use quotas but I've made some suggestions in said bug that are probably as > relevant to quotas as they are to counters.They question is if we want to have a fine grain to reset anonymous stateful information, or just 'nft reset ruleset' to reset all stateful information (including quotas and counters) is fine. What would you prefer? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/1de35c20/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-28 21:47 UTC
[Bug 1314] nft reset quotas does not reset anonymous quotas
https://bugzilla.netfilter.org/show_bug.cgi?id=1314 --- Comment #5 from kfm at plushkava.net --- (In reply to Pablo Neira Ayuso from comment #4)> They question is if we want to have a fine grain to reset anonymous stateful > information, or just 'nft reset ruleset' to reset all stateful information > (including quotas and counters) is fine. > > What would you prefer?Personally, I'd like for it to be as granular as is reasonably possible i.e. more or less achieving feature parity with iptables -Z. I go into specific detail in the other bug, including some suggestions as to how the nft syntax could look for granular reset actions. That said, I appreciate that this might not be trivial to implement or that it cannot necessarily be considered as a development priority. As the first course of action, if both of "nft reset quotas" and "nft reset counters" were to cover all anonymous instances, that would address this bug, along with one of the requests that I made in bug 1401. In and as of itself, that would be a nice improvement. If anyone can figure out how to support granular actions thereafter, then so much the better. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/11955066/attachment-0001.html>
Apparently Analagous Threads
- [Bug 1135] New: When used as a script interpreter, nft fails if extra arguments are passed
- [Bug 1315] New: Does not seem to be a way to use a named quota to make decisions in a rule
- [Bug 1401] New: Discretely resetting anonymous counters is impossible
- [Bug 1449] New: nft ipv4 set with interval issue
- [Bug 1336] New: "nft reset counters" does not respect -j option for JSON output