[Bug 1411] New: add elements with counter to dynamic sets with

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Feb 28 10:58:03 CET 2020 

https://bugzilla.netfilter.org/show_bug.cgi?id=1411

            Bug ID: 1411
           Summary: add elements with counter to dynamic sets with
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: karel at unitednetworks.cz

Few years ago I have proposed hit counters to set items:

https://bugzilla.netfilter.org/show_bug.cgi?id=1185

Now when we have dynamic sets that replaced meters, and lookups are already
allowed for these sets, maybe it is a time to add "hit" counters in set items,
which will increase by 1 when lookup is successful.

Meters (dynamic sets) already have "add/update" counters, so you can see how
many times given item was added/updated. But when you add this item manually
and not from packet path, this counter is missing:


**********************

# setup dynamic set

nft add table t
nft add chain t c { type filter hook input priority 0\; }
nft add set t dynset { type ipv4_addr\; flags dynamic\; }
nft add rule t c add @dynset { ip saddr counter }

# ping 8.8.8.8

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=6.05 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=5.05 ms
^C

# list dynamic set, see "add" counter

nft list set t dynset
table ip t {
        set dynset {
                type ipv4_addr
                size 65535
                flags dynamic
                elements = { 8.8.8.8 counter packets 2 bytes 168 }
        }
}

# now add set item manually

nft add element t dynset { 8.8.4.4 }

# ping 8.8.4.4

ping 8.8.4.4
PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data.
64 bytes from 8.8.4.4: icmp_seq=1 ttl=50 time=4.91 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=50 time=6.70 ms
^C


# and list dynamic set again, see counter is missing from manually added item

nft list set t dynset
table ip t {
        set dynset {
                type ipv4_addr
                size 65535
                flags dynamic
                elements = { 8.8.4.4, 8.8.8.8 counter packets 2 bytes 168 }
        }
}

**********************

For me it looks like inconsistency. Manually added items should have counters
too. So all elements in dynamic sets should have "add/update" counters
regardless of how they were added to set (from packet path or manually).

And I am again proposing "hit" counters to set items, maybe with flag
"counter".

Actually ideal solution would be to have two counter set/map flags:

hit counter - +1 when successful lookup
add counter - +1 when add/update (regardless if manually or from packet path)

It would apply to all sets/maps, not even dynamic ones.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200228/d22d3510/attachment.html>

More information about the netfilter-buglog mailing list