bugzilla-daemon at netfilter.org
2021-Jan-15 23:56 UTC
[Bug 1493] New: sets: timeout+counter
https://bugzilla.netfilter.org/show_bug.cgi?id=1493
Bug ID: 1493
Summary: sets: timeout+counter
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: bugz at dragon-home.dyndns-mail.com
# cat tst.nft
#!/usr/sbin/nft -f
flush ruleset
add table ip filter
add set ip filter tst { type ipv4_addr; counter; flags timeout; size 8; }
add chain ip filter fin { type filter hook input priority filter; policy accept
; }
add rule ip filter fin tcp dport 1111 add @tst { ip daddr timeout 5m }
add element ip filter tst { 127.0.0.2 timeout 10m }
# ./tst.nft
# nft list ruleset
table ip filter {
set tst {
type ipv4_addr
size 8
flags timeout
counter
elements = { 127.0.0.2 timeout 10m expires 9m38s836ms counter packets 0
bytes 0 }
}
chain fin {
type filter hook input priority filter; policy accept;
tcp dport 1111 add @tst { ip daddr timeout 5m }
}
}
# telnet 127.0.0.2 1111
...
# nft list ruleset
table ip filter {
set tst {
type ipv4_addr
size 8
flags timeout
counter
elements = { 127.0.0.2 timeout 10m expires 9m13s516ms counter packets 1
bytes 60 }
}
chain fin {
type filter hook input priority filter; policy accept;
tcp dport 1111 add @tst { ip daddr timeout 5m }
}
}
# telnet 127.0.0.1 1111
...
# nft list ruleset
table ip filter {
set tst {
type ipv4_addr
size 8
flags timeout
counter
elements = { 127.0.0.1 expires 4m57s440ms, 127.0.0.2 timeout 10m
expires 8m59s428ms counter packets 1 bytes 60 }
}
chain fin {
type filter hook input priority filter; policy accept;
tcp dport 1111 add @tst { ip daddr timeout 5m }
}
}
Where is the counter for 127.0.0.1?
Debian10
linux-image-5.9.0-0.bpo.2-amd64 (5.9.6-1~bpo10+1)
nftables v0.9.6 (0.9.6-1~bpo10+1 amd64)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210115/dd173099/attachment.html>
https://bugzilla.netfilter.org/show_bug.cgi?id=1493
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Kernel patch to fix the missing counters:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210116180313.16943-1-pablo
at netfilter.org/
It applies to 5.11-rc, I will send a backport to request inclusion in -stable
kernels.
There is another issue, the timeout policy is not displayed when listing (only
the expiration), which results in skipping the timeout policy next time you
reload the listing, another patch:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210116182932.737-1-pablo
at netfilter.org/
Until these patches get into the kernel, I can provide a workaround for you:
- Set on the dynamic flag in your set definition, this is convenient since this
specifies that the set is updated from the packet path.
set tst {
type ipv4_addr
size 8
flags timeout,dynamic
counter
}
- Specify counter in the set statement:
tcp dport 1111 add @tst { ip daddr timeout 5m counter }
it's kind of redundant, but it will work until kernels honor the set
definition
containing the counter.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210116/ab270587/attachment.html>