Difference between revisions of "Meters"
(Create "Flow table" page with usage examples) |
(Add links to concatenations) |
||
| Line 3: | Line 3: | ||
Since Linux Kernel 4.3 and nft v0.6 nftables supports flow tables. | Since Linux Kernel 4.3 and nft v0.6 nftables supports flow tables. | ||
Flow tables provides a native replacement for the ''hashlimit'' match in iptables, however, you can use any selector, one or many through concatenations. | Flow tables provides a native replacement for the ''hashlimit'' match in iptables, however, you can use any selector, one or many through [[concatenations]]. | ||
== Using flow tables == | == Using flow tables == | ||
| Line 17: | Line 17: | ||
In this example we create a rule to match ''new'' ''ssh'' (port 22) connections, which uses a flow table named ''ssh-ftable'' to limit the traffic rate to 10 packets per second for each source IP address. The available time units on limits are: ''second'', ''minute'', ''hour'', ''day'' and ''week''. | In this example we create a rule to match ''new'' ''ssh'' (port 22) connections, which uses a flow table named ''ssh-ftable'' to limit the traffic rate to 10 packets per second for each source IP address. The available time units on limits are: ''second'', ''minute'', ''hour'', ''day'' and ''week''. | ||
You can also use concatenations to build selectors: | You can also use [[concatenations]] to build selectors: | ||
<source lang="bash"> | <source lang="bash"> | ||
Revision as of 18:32, 15 February 2017
Flow tables
Since Linux Kernel 4.3 and nft v0.6 nftables supports flow tables.
Flow tables provides a native replacement for the hashlimit match in iptables, however, you can use any selector, one or many through concatenations.
Using flow tables
The following commands create a table named filter, a chain named input which hooks incoming traffic and a rule that uses a flow table:
% nft add table filter
% nft add chain filter input {type filter hook input priority 0\;}
% nft add rule filter input tcp dport 22 ct state new flow table ssh-ftable { ip saddr limit rate 10/second } accept
In this example we create a rule to match new ssh (port 22) connections, which uses a flow table named ssh-ftable to limit the traffic rate to 10 packets per second for each source IP address. The available time units on limits are: second, minute, hour, day and week.
You can also use concatenations to build selectors:
% nft add rule filter input flow table cnt-ftable { iif . ip saddr . tcp dport timeout 60s counter }
This rule counts incoming packets based on the tuple (input interface index, IP source address, TCP destination port), the counters are dropped after 60 seconds without update.
Listing flow tables
To list the content matched by the flow table use:
% nft list flow table filter cnt-ftable
table ip filter {
flow table cnt-ftable {
type iface_index . ipv4_addr . inet_service
flags timeout
elements = { "wlan1" . 64.62.190.36 . 55000 expires 38s : counter packets 2 bytes 220, "wlan1" . 83.98.201.47 . 35460 expires 39s : counter packets 10 bytes 5988, "wlan1" . 172.217.7.142 . 43254 expires 46s : counter packets 1 bytes 98}
}
}