Difference between revisions of "Stateful objects"

From nftables wiki
Jump to navigation Jump to search
(Created page with "Since v0.7 nftables support stateful objects, which group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables...")
 
Line 1: Line 1:
Since v0.7 nftables support stateful objects, which group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.
Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.
 
= Creating stateful objects =
 
You can create a counter with the command:
 
<source lang="bash">
% nft add table filter
% nft add counter filter https-traffic
</source>
 
These rules create a table named ''filter'', then a counter named ''https-traffic'' and attaches it to ''filter''.
 
Creating a quota is similar:
 
<source lang="bash">
% nft add quota filter https-quota 25 mbytes
</source>
 
A quota named ''https-quota'' is attached to the table ''filter'', notice that you must specify the quota's size on creation.
 
= Referencing stateful objects in rules =
 
Stateful objects are referenced in rules by their names, the simplest way is:
 
<source lang="bash">
% nft add chain filter output { type filter hook output priority 0 \; }
% nft add rule filter output tcp dport https counter name https-traffic
</source>
 
These rules create a chain named ''output'' in the table ''filter'', then a rule to counter the ''https'' packets generated by your machine and display them in the counter ''https-traffic''.
 
They can also be used with maps:
 
<source lang="bash">
% nft add rule filter output counter name tcp dport map { \
          https : "https-traffic", \
          80 : "http-traffic", \
          25 : "foo-counter", \
          50 : "foo-counter", \
          107 : "foo-counter" \
  }
</source>
 
Similarly, dynamic maps can be used:
 
<source lang="bash">
% nft add map filter ports { type inet_service : quota \; }
% nft add rule filter output quota name tcp dport map @ports
% nft add quota filter http-quota over 25 mbytes
% nft add quota filter ssh-quota 10 kbytes
% nft add element filter ports { 80 : "http-quota" }
% nft add element filter ports { 22 : "ssh-quota" }
</source>
 
= Listing stateful objects =
 
You can list the stateful information of objects individually via:
 
<source lang="bash">
% nft list counter filter https-traffic
</source>
 
Also, it's possible to list all stateful objects of the same type:
 
<source lang="bash">
% nft list quotas
</source>
 
And list all stateful objects of a type in a table:
 
<source lang="bash">
% nft list counters table filter
</source>
 
= Reseting stateful objects =
 
Reseting an object will list its content and set it to 0. The usage is similar to listing objects:
 
<source lang="bash">
% nft reset quota filter http-quota
% nft reset counters
% nft reset quotas table filter
</source>

Revision as of 16:19, 8 February 2017

Stateful objects group stateful information of rules, the supported types are: counters and quotas. Stateful objects are attached to tables and have a unique name, defined by the user.

Creating stateful objects

You can create a counter with the command:

% nft add table filter
% nft add counter filter https-traffic

These rules create a table named filter, then a counter named https-traffic and attaches it to filter.

Creating a quota is similar:

% nft add quota filter https-quota 25 mbytes

A quota named https-quota is attached to the table filter, notice that you must specify the quota's size on creation.

Referencing stateful objects in rules

Stateful objects are referenced in rules by their names, the simplest way is:

% nft add chain filter output { type filter hook output priority 0 \; }
% nft add rule filter output tcp dport https counter name https-traffic

These rules create a chain named output in the table filter, then a rule to counter the https packets generated by your machine and display them in the counter https-traffic.

They can also be used with maps:

% nft add rule filter output counter name tcp dport map { \
          https : "https-traffic", \
          80 : "http-traffic", \
          25 : "foo-counter", \
          50 : "foo-counter", \
          107 : "foo-counter" \
  }

Similarly, dynamic maps can be used:

% nft add map filter ports { type inet_service : quota \; }
% nft add rule filter output quota name tcp dport map @ports
% nft add quota filter http-quota over 25 mbytes
% nft add quota filter ssh-quota 10 kbytes
% nft add element filter ports { 80 : "http-quota" }
% nft add element filter ports { 22 : "ssh-quota" }

Listing stateful objects

You can list the stateful information of objects individually via:

% nft list counter filter https-traffic

Also, it's possible to list all stateful objects of the same type:

% nft list quotas

And list all stateful objects of a type in a table:

% nft list counters table filter

Reseting stateful objects

Reseting an object will list its content and set it to 0. The usage is similar to listing objects:

% nft reset quota filter http-quota
% nft reset counters
% nft reset quotas table filter