nftables wiki - User contributions [en]

Stateful objects

2019-01-10T17:55:57Z

Dlakeland: /* Resetting stateful objects */

Since Linux Kernel 4.10 and nft v0.8 nftables supports stateful objects.

Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.

= Creating stateful objects =

You can create a counter with the command:

<source lang="bash">
% nft add table filter
% nft add counter filter https-traffic
</source>

These rules create a table named ''filter'', then a counter named ''https-traffic'' and attaches it to ''filter''.

Creating a quota is similar:

<source lang="bash">
% nft add quota filter https-quota 25 mbytes
</source>

A quota named ''https-quota'' is attached to the table ''filter'', notice that you must specify the quota's size on creation.

= Referencing stateful objects in rules =

Stateful objects are referenced in rules by their names. They act as both actions and in the case of quotas also matches the simplest way is:

<source lang="bash">
% nft add chain filter output { type filter hook output priority 0 \; }
% nft add rule filter output tcp dport https counter name https-traffic
</source>

These rules create a chain named ''output'' in the table ''filter'', then a rule to counter the ''https'' packets generated by your machine and display them in the counter ''https-traffic''.

They can also be used with maps:

<source lang="bash">
% nft add rule filter output counter name tcp dport map { \
https : "https-traffic", \
80 : "http-traffic", \
25 : "foo-counter", \
50 : "foo-counter", \
107 : "foo-counter" \
}
</source>

Similarly, dynamic maps can be used:

<source lang="bash">
% nft add map filter ports { type inet_service : quota \; }
% nft add rule filter output quota name tcp dport map @ports
% nft add quota filter http-quota over 25 mbytes
% nft add quota filter ssh-quota 10 kbytes
% nft add element filter ports { 80 : "http-quota" }
% nft add element filter ports { 22 : "ssh-quota" }
</source>

When using quotas, the packet will be counted towards the quota, and if the quota matches (either up-to or over depending on quota type) the remaining actions will take place, otherwise not.

<source lang="bash">

table inet foo {
quota example { over 100 mbytes used 0 bytes }

chain dropafterquota {
type filter hook postrouting priority 0; policy accept;
udp port 5060 quota name "example" drop
}

}

</source>

Will count all udp port 5060 packets towards the quota and drop all packets once the quota hits its "over 100 mbytes" threshold.

= Listing stateful objects =

You can list the stateful information of objects individually via:

<source lang="bash">
% nft list counter filter https-traffic
</source>

Also, it's possible to list all stateful objects of the same type:

<source lang="bash">
% nft list quotas
</source>

And list all stateful objects of a type in a table:

<source lang="bash">
% nft list counters table filter
</source>

= Resetting stateful objects =

Resetting an object will atomically dump and reset its content:

<source lang="bash">
% nft reset quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes used 217 kbytes
}
}

% nft list quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes
}
}
</source>

Other usages are similar to the command list, e.g.

<source lang="bash">
% nft reset counters
% nft reset quotas table filter
</source>

At the moment (Jan 2019) resetting quotas does not reset anonymous quotas such as used in rules without names, see [https://bugzilla.netfilter.org/show_bug.cgi?id=1314 bug #1314]

Stateful objects

2019-01-10T17:46:42Z

Dlakeland: /* Referencing stateful objects in rules */

Stateful objects

2019-01-10T17:40:23Z

Dlakeland: /* Referencing stateful objects in rules */

Since Linux Kernel 4.10 and nft v0.8 nftables supports stateful objects.

Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.

= Creating stateful objects =

You can create a counter with the command:

<source lang="bash">
% nft add table filter
% nft add counter filter https-traffic
</source>

These rules create a table named ''filter'', then a counter named ''https-traffic'' and attaches it to ''filter''.

Creating a quota is similar:

<source lang="bash">
% nft add quota filter https-quota 25 mbytes
</source>

A quota named ''https-quota'' is attached to the table ''filter'', notice that you must specify the quota's size on creation.

= Referencing stateful objects in rules =

Stateful objects are referenced in rules by their names. They act as both actions and in the case of quotas also matches the simplest way is:

<source lang="bash">
% nft add chain filter output { type filter hook output priority 0 \; }
% nft add rule filter output tcp dport https counter name https-traffic
</source>

These rules create a chain named ''output'' in the table ''filter'', then a rule to counter the ''https'' packets generated by your machine and display them in the counter ''https-traffic''.

They can also be used with maps:

<source lang="bash">
% nft add rule filter output counter name tcp dport map { \
https : "https-traffic", \
80 : "http-traffic", \
25 : "foo-counter", \
50 : "foo-counter", \
107 : "foo-counter" \
}
</source>

Similarly, dynamic maps can be used:

<source lang="bash">
% nft add map filter ports { type inet_service : quota \; }
% nft add rule filter output quota name tcp dport map @ports
% nft add quota filter http-quota over 25 mbytes
% nft add quota filter ssh-quota 10 kbytes
% nft add element filter ports { 80 : "http-quota" }
% nft add element filter ports { 22 : "ssh-quota" }
</source>

When using quotas, the packet will be counted towards the quota, and if the quota matches (either up-to or over depending on quota type) the remaining actions will take place, otherwise not.

<source lang="bash">

table inet foo {
quota example { over 100 mbytes used 0 bytes }

chain dropafterquota {
type filter hook postrouting priority 0; policy accept;
udp port 5060 quota example drop
}

}

</source>

Will count all udp port 5060 packets towards the quota and drop all packets once the quota hits its "over 100 mbytes" threshold.

= Listing stateful objects =

You can list the stateful information of objects individually via:

<source lang="bash">
% nft list counter filter https-traffic
</source>

Also, it's possible to list all stateful objects of the same type:

<source lang="bash">
% nft list quotas
</source>

And list all stateful objects of a type in a table:

<source lang="bash">
% nft list counters table filter
</source>

= Resetting stateful objects =

Resetting an object will atomically dump and reset its content:

<source lang="bash">
% nft reset quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes used 217 kbytes
}
}

% nft list quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes
}
}
</source>

Other usages are similar to the command list, e.g.

<source lang="bash">
% nft reset counters
% nft reset quotas table filter
</source>