From: Devin Bayer <dev@doubly.so>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org
Subject: [PATCH] nft: migrate man page examples with `meter` directive to sets
Date: Thu, 1 Oct 2020 11:30:27 +0200 [thread overview]
Message-ID: <b35b744f-a29c-d76b-6969-8cf6371c2a1a@doubly.so> (raw)
Hello,
this updates the two examples in the man page that use the obsolete
`meter` to use sets. I also fixed a bit of formatting for the conntrack
expressions.
Thanks,
Devin
---
doc/payload-expression.txt | 12 +++++++-----
doc/statements.txt | 29 +++++++++++++++++++----------
2 files changed, 26 insertions(+), 15 deletions(-)
diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt
index e6f108b1..e2beb8be 100644
--- a/doc/payload-expression.txt
+++ b/doc/payload-expression.txt
@@ -642,6 +642,8 @@ zone id is tied to the given direction. +
*ct* {*original* | *reply*} {*proto-src* | *proto-dst*}
*ct* {*original* | *reply*} {*ip* | *ip6*} {*saddr* | *daddr*}
+The conntrack-specific types in this table are described in the
sub-section CONNTRACK TYPES above.
+
.Conntrack expressions
[options="header"]
|==================
@@ -698,15 +700,15 @@ integer (64 bit)
conntrack zone |
integer (16 bit)
|count|
-count number of connections
+number of current connections|
integer (32 bit)
|id|
-Connection id
-ct_id
+Connection id|
+ct_id|
|==========================================
-A description of conntrack-specific types listed above can be found
sub-section CONNTRACK TYPES above.
.restrict the number of parallel connections to a server
--------------------
-filter input tcp dport 22 meter test { ip saddr ct count over 2 } reject
+nft add set filter ssh_flood '{ type ipv4_addr; flags dynamic; }'
+nft filter input tcp dport 22 add @ssh_flood '{ ip saddr ct count over
2 }' reject
--------------------
diff --git a/doc/statements.txt b/doc/statements.txt
index 9155f286..9cbae019 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -704,8 +704,17 @@ blacklists.
.Example for simple blacklist
-----------------------------
-# declare a set, bound to table "filter", in family "ip". Timeout and
size are mandatory because we will add elements from packet path.
-nft add set ip filter blackhole "{ type ipv4_addr; flags timeout; size
65536; }"
+# declare a set, bound to table "filter", in family "ip".
+# Timeout and size are mandatory because we will add elements from
packet path.
+# Entries will timeout after one minute, after which they might be
+# re-added if limit condition persists.
+nft add set ip filter blackhole \
+ "{ type ipv4_addr; timeout 1m; size 65536 }"
+
+# declare a set to store the limit per saddr.
+# This must be separate from blackhole since the timeout is different
+nft add set ip filter flood \
+ "{ type ipv4_addr; flags dynamic; timeout 10s; size 128000 }"
# whitelist internal interface.
nft add rule ip filter input meta iifname "internal" accept
@@ -713,17 +722,17 @@ nft add rule ip filter input meta iifname
"internal" accept
# drop packets coming from blacklisted ip addresses.
nft add rule ip filter input ip saddr @blackhole counter drop
-# add source ip addresses to the blacklist if more than 10 tcp
connection requests occurred per second and ip address.
-# entries will timeout after one minute, after which they might be
re-added if limit condition persists.
-nft add rule ip filter input tcp flags syn tcp dport ssh meter flood
size 128000 { ip saddr timeout 10s limit rate over 10/second} add
@blackhole { ip saddr timeout 1m } drop
+# add source ip addresses to the blacklist if more than 10 tcp connection
+# requests occurred per second and ip address.
+nft add rule ip filter input tcp flags syn tcp dport ssh \
+ add @flood { ip saddr limit rate over 10/second } \
+ add @blackhole { ip saddr } drop
-# inspect state of the rate limit meter:
-nft list meter ip filter flood
-
-# inspect content of blackhole:
+# inspect state of the sets.
+nft list set ip filter flood
nft list set ip filter blackhole
-# manually add two addresses to the set:
+# manually add two addresses to the blackhole.
nft add element filter blackhole { 10.2.3.4, 10.23.1.42 }
-----------------------------------------------
--
2.25.1
next reply other threads:[~2020-10-01 9:30 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-01 9:30 Devin Bayer [this message]
2020-10-01 12:26 ` [PATCH] nft: migrate man page examples with `meter` directive to sets Pablo Neira Ayuso
2020-10-01 13:04 ` Devin Bayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b35b744f-a29c-d76b-6969-8cf6371c2a1a@doubly.so \
--to=dev@doubly.so \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.