http://wiki.nftables.org/wiki-nftables/api.php?action=feedcontributions&user=Dlakeland&feedformat=atomnftables wiki - User contributions [en]2024-03-29T12:48:04ZUser contributionsMediaWiki 1.36.4http://wiki.nftables.org/wiki-nftables/index.php?title=Stateful_objects&diff=358Stateful objects2019-01-10T17:55:57Z<p>Dlakeland: /* Resetting stateful objects */</p>
<hr />
<div>Since Linux Kernel 4.10 and nft v0.8 nftables supports stateful objects.<br />
<br />
Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.<br />
<br />
= Creating stateful objects =<br />
<br />
You can create a counter with the command:<br />
<br />
<source lang="bash"><br />
% nft add table filter<br />
% nft add counter filter https-traffic<br />
</source><br />
<br />
These rules create a table named ''filter'', then a counter named ''https-traffic'' and attaches it to ''filter''.<br />
<br />
Creating a quota is similar:<br />
<br />
<source lang="bash"><br />
% nft add quota filter https-quota 25 mbytes<br />
</source><br />
<br />
A quota named ''https-quota'' is attached to the table ''filter'', notice that you must specify the quota's size on creation.<br />
<br />
= Referencing stateful objects in rules =<br />
<br />
Stateful objects are referenced in rules by their names. They act as both actions and in the case of quotas also matches the simplest way is:<br />
<br />
<source lang="bash"><br />
% nft add chain filter output { type filter hook output priority 0 \; }<br />
% nft add rule filter output tcp dport https counter name https-traffic<br />
</source><br />
<br />
These rules create a chain named ''output'' in the table ''filter'', then a rule to counter the ''https'' packets generated by your machine and display them in the counter ''https-traffic''.<br />
<br />
They can also be used with maps:<br />
<br />
<source lang="bash"><br />
% nft add rule filter output counter name tcp dport map { \<br />
https : "https-traffic", \<br />
80 : "http-traffic", \<br />
25 : "foo-counter", \<br />
50 : "foo-counter", \<br />
107 : "foo-counter" \<br />
}<br />
</source><br />
<br />
Similarly, dynamic maps can be used:<br />
<br />
<source lang="bash"><br />
% nft add map filter ports { type inet_service : quota \; }<br />
% nft add rule filter output quota name tcp dport map @ports<br />
% nft add quota filter http-quota over 25 mbytes<br />
% nft add quota filter ssh-quota 10 kbytes<br />
% nft add element filter ports { 80 : "http-quota" }<br />
% nft add element filter ports { 22 : "ssh-quota" }<br />
</source><br />
<br />
<br />
When using quotas, the packet will be counted towards the quota, and if the quota matches (either up-to or over depending on quota type) the remaining actions will take place, otherwise not.<br />
<br />
<source lang="bash"><br />
<br />
table inet foo {<br />
quota example { over 100 mbytes used 0 bytes }<br />
<br />
chain dropafterquota { <br />
type filter hook postrouting priority 0; policy accept;<br />
udp port 5060 quota name "example" drop<br />
}<br />
<br />
}<br />
<br />
</source><br />
<br />
Will count all udp port 5060 packets towards the quota and drop all packets once the quota hits its "over 100 mbytes" threshold.<br />
<br />
= Listing stateful objects =<br />
<br />
You can list the stateful information of objects individually via:<br />
<br />
<source lang="bash"><br />
% nft list counter filter https-traffic<br />
</source><br />
<br />
Also, it's possible to list all stateful objects of the same type:<br />
<br />
<source lang="bash"><br />
% nft list quotas<br />
</source><br />
<br />
And list all stateful objects of a type in a table:<br />
<br />
<source lang="bash"><br />
% nft list counters table filter<br />
</source><br />
<br />
= Resetting stateful objects =<br />
<br />
Resetting an object will atomically dump and reset its content:<br />
<br />
<source lang="bash"><br />
% nft reset quota filter https-quota<br />
table ip filter {<br />
quota https-quota {<br />
25 mbytes used 217 kbytes<br />
}<br />
}<br />
<br />
% nft list quota filter https-quota<br />
table ip filter {<br />
quota https-quota {<br />
25 mbytes<br />
}<br />
}<br />
</source><br />
<br />
Other usages are similar to the command list, e.g.<br />
<br />
<source lang="bash"><br />
% nft reset counters<br />
% nft reset quotas table filter<br />
</source><br />
<br />
At the moment (Jan 2019) resetting quotas does not reset anonymous quotas such as used in rules without names, see [https://bugzilla.netfilter.org/show_bug.cgi?id=1314 bug #1314]</div>Dlakelandhttp://wiki.nftables.org/wiki-nftables/index.php?title=Stateful_objects&diff=357Stateful objects2019-01-10T17:46:42Z<p>Dlakeland: /* Referencing stateful objects in rules */</p>
<hr />
<div>Since Linux Kernel 4.10 and nft v0.8 nftables supports stateful objects.<br />
<br />
Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.<br />
<br />
= Creating stateful objects =<br />
<br />
You can create a counter with the command:<br />
<br />
<source lang="bash"><br />
% nft add table filter<br />
% nft add counter filter https-traffic<br />
</source><br />
<br />
These rules create a table named ''filter'', then a counter named ''https-traffic'' and attaches it to ''filter''.<br />
<br />
Creating a quota is similar:<br />
<br />
<source lang="bash"><br />
% nft add quota filter https-quota 25 mbytes<br />
</source><br />
<br />
A quota named ''https-quota'' is attached to the table ''filter'', notice that you must specify the quota's size on creation.<br />
<br />
= Referencing stateful objects in rules =<br />
<br />
Stateful objects are referenced in rules by their names. They act as both actions and in the case of quotas also matches the simplest way is:<br />
<br />
<source lang="bash"><br />
% nft add chain filter output { type filter hook output priority 0 \; }<br />
% nft add rule filter output tcp dport https counter name https-traffic<br />
</source><br />
<br />
These rules create a chain named ''output'' in the table ''filter'', then a rule to counter the ''https'' packets generated by your machine and display them in the counter ''https-traffic''.<br />
<br />
They can also be used with maps:<br />
<br />
<source lang="bash"><br />
% nft add rule filter output counter name tcp dport map { \<br />
https : "https-traffic", \<br />
80 : "http-traffic", \<br />
25 : "foo-counter", \<br />
50 : "foo-counter", \<br />
107 : "foo-counter" \<br />
}<br />
</source><br />
<br />
Similarly, dynamic maps can be used:<br />
<br />
<source lang="bash"><br />
% nft add map filter ports { type inet_service : quota \; }<br />
% nft add rule filter output quota name tcp dport map @ports<br />
% nft add quota filter http-quota over 25 mbytes<br />
% nft add quota filter ssh-quota 10 kbytes<br />
% nft add element filter ports { 80 : "http-quota" }<br />
% nft add element filter ports { 22 : "ssh-quota" }<br />
</source><br />
<br />
<br />
When using quotas, the packet will be counted towards the quota, and if the quota matches (either up-to or over depending on quota type) the remaining actions will take place, otherwise not.<br />
<br />
<source lang="bash"><br />
<br />
table inet foo {<br />
quota example { over 100 mbytes used 0 bytes }<br />
<br />
chain dropafterquota { <br />
type filter hook postrouting priority 0; policy accept;<br />
udp port 5060 quota name "example" drop<br />
}<br />
<br />
}<br />
<br />
</source><br />
<br />
Will count all udp port 5060 packets towards the quota and drop all packets once the quota hits its "over 100 mbytes" threshold.<br />
<br />
= Listing stateful objects =<br />
<br />
You can list the stateful information of objects individually via:<br />
<br />
<source lang="bash"><br />
% nft list counter filter https-traffic<br />
</source><br />
<br />
Also, it's possible to list all stateful objects of the same type:<br />
<br />
<source lang="bash"><br />
% nft list quotas<br />
</source><br />
<br />
And list all stateful objects of a type in a table:<br />
<br />
<source lang="bash"><br />
% nft list counters table filter<br />
</source><br />
<br />
= Resetting stateful objects =<br />
<br />
Resetting an object will atomically dump and reset its content:<br />
<br />
<source lang="bash"><br />
% nft reset quota filter https-quota<br />
table ip filter {<br />
quota https-quota {<br />
25 mbytes used 217 kbytes<br />
}<br />
}<br />
<br />
% nft list quota filter https-quota<br />
table ip filter {<br />
quota https-quota {<br />
25 mbytes<br />
}<br />
}<br />
</source><br />
<br />
Other usages are similar to the command list, e.g.<br />
<br />
<source lang="bash"><br />
% nft reset counters<br />
% nft reset quotas table filter<br />
</source></div>Dlakelandhttp://wiki.nftables.org/wiki-nftables/index.php?title=Stateful_objects&diff=356Stateful objects2019-01-10T17:40:23Z<p>Dlakeland: /* Referencing stateful objects in rules */</p>
<hr />
<div>Since Linux Kernel 4.10 and nft v0.8 nftables supports stateful objects.<br />
<br />
Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.<br />
<br />
= Creating stateful objects =<br />
<br />
You can create a counter with the command:<br />
<br />
<source lang="bash"><br />
% nft add table filter<br />
% nft add counter filter https-traffic<br />
</source><br />
<br />
These rules create a table named ''filter'', then a counter named ''https-traffic'' and attaches it to ''filter''.<br />
<br />
Creating a quota is similar:<br />
<br />
<source lang="bash"><br />
% nft add quota filter https-quota 25 mbytes<br />
</source><br />
<br />
A quota named ''https-quota'' is attached to the table ''filter'', notice that you must specify the quota's size on creation.<br />
<br />
= Referencing stateful objects in rules =<br />
<br />
Stateful objects are referenced in rules by their names. They act as both actions and in the case of quotas also matches the simplest way is:<br />
<br />
<source lang="bash"><br />
% nft add chain filter output { type filter hook output priority 0 \; }<br />
% nft add rule filter output tcp dport https counter name https-traffic<br />
</source><br />
<br />
These rules create a chain named ''output'' in the table ''filter'', then a rule to counter the ''https'' packets generated by your machine and display them in the counter ''https-traffic''.<br />
<br />
They can also be used with maps:<br />
<br />
<source lang="bash"><br />
% nft add rule filter output counter name tcp dport map { \<br />
https : "https-traffic", \<br />
80 : "http-traffic", \<br />
25 : "foo-counter", \<br />
50 : "foo-counter", \<br />
107 : "foo-counter" \<br />
}<br />
</source><br />
<br />
Similarly, dynamic maps can be used:<br />
<br />
<source lang="bash"><br />
% nft add map filter ports { type inet_service : quota \; }<br />
% nft add rule filter output quota name tcp dport map @ports<br />
% nft add quota filter http-quota over 25 mbytes<br />
% nft add quota filter ssh-quota 10 kbytes<br />
% nft add element filter ports { 80 : "http-quota" }<br />
% nft add element filter ports { 22 : "ssh-quota" }<br />
</source><br />
<br />
<br />
When using quotas, the packet will be counted towards the quota, and if the quota matches (either up-to or over depending on quota type) the remaining actions will take place, otherwise not.<br />
<br />
<source lang="bash"><br />
<br />
table inet foo {<br />
quota example { over 100 mbytes used 0 bytes }<br />
<br />
chain dropafterquota { <br />
type filter hook postrouting priority 0; policy accept;<br />
udp port 5060 quota example drop<br />
}<br />
<br />
}<br />
<br />
</source><br />
<br />
Will count all udp port 5060 packets towards the quota and drop all packets once the quota hits its "over 100 mbytes" threshold.<br />
<br />
= Listing stateful objects =<br />
<br />
You can list the stateful information of objects individually via:<br />
<br />
<source lang="bash"><br />
% nft list counter filter https-traffic<br />
</source><br />
<br />
Also, it's possible to list all stateful objects of the same type:<br />
<br />
<source lang="bash"><br />
% nft list quotas<br />
</source><br />
<br />
And list all stateful objects of a type in a table:<br />
<br />
<source lang="bash"><br />
% nft list counters table filter<br />
</source><br />
<br />
= Resetting stateful objects =<br />
<br />
Resetting an object will atomically dump and reset its content:<br />
<br />
<source lang="bash"><br />
% nft reset quota filter https-quota<br />
table ip filter {<br />
quota https-quota {<br />
25 mbytes used 217 kbytes<br />
}<br />
}<br />
<br />
% nft list quota filter https-quota<br />
table ip filter {<br />
quota https-quota {<br />
25 mbytes<br />
}<br />
}<br />
</source><br />
<br />
Other usages are similar to the command list, e.g.<br />
<br />
<source lang="bash"><br />
% nft reset counters<br />
% nft reset quotas table filter<br />
</source></div>Dlakeland