meter directive

meter directive

[Devin Bayer]

Hello,

I am looking for some docs on the `meter` directive. Should it still be 
used instead of `map` or `set` and what are the arguments?

I see it's used in examples in the man page and also on this page:

    https://wiki.nftables.org/wiki-nftables/index.php/Meters

However the example does not work as described. When I do

     nft list map my_filter_table my_ssh_meter

I don't get the output like is described. First, it's a "set", not a 
"map", so I just see "Error: No such file or directory". But when 
changing to "list set", I don't see the counters:

table ip my_filter_table {
	set my_ssh_meter {
		type ipv4_addr . inet_service
		size 1000
		flags dynamic,timeout
		elements = {
	3.10.95.11 . 22 expires 14s492ms limit rate 10/second,
	3.123.217.208 . 22 expires 38s596ms limit rate 10/second,
	...}
     }
}

1) I wondering if someone can clarify.
2) If meter is obsolete, as the wiki suggests, can the examples in the 
man page be updated?
3) If meter isn't obsolete, can it's usage be added to the man page?

I am using nftables v0.9.6 on kernel 5.7.0.


Thanks,
Devin

Re: meter directive

[Devin Bayer]

Anyone have thoughts on this, especially the questions:

a) is meter an obsolete directive?
b) if not, is it documented anywhere?
c) is it possible to display the counters in a meter?

Thanks,
Devin

On 04/09/2020 10.38, Devin Bayer wrote:
> Hello,
> 
> I am looking for some docs on the `meter` directive. Should it still be 
> used instead of `map` or `set` and what are the arguments?
> 
> I see it's used in examples in the man page and also on this page:
> 
>     https://wiki.nftables.org/wiki-nftables/index.php/Meters
> 
> However the example does not work as described. When I do
> 
>      nft list map my_filter_table my_ssh_meter
> 
> I don't get the output like is described. First, it's a "set", not a 
> "map", so I just see "Error: No such file or directory". But when 
> changing to "list set", I don't see the counters:
> 
> table ip my_filter_table {
>      set my_ssh_meter {
>          type ipv4_addr . inet_service
>          size 1000
>          flags dynamic,timeout
>          elements = {
>      3.10.95.11 . 22 expires 14s492ms limit rate 10/second,
>      3.123.217.208 . 22 expires 38s596ms limit rate 10/second,
>      ...}
>      }
> }
> 
> 1) I wondering if someone can clarify.
> 2) If meter is obsolete, as the wiki suggests, can the examples in the 
> man page be updated?
> 3) If meter isn't obsolete, can it's usage be added to the man page?
> 
> I am using nftables v0.9.6 on kernel 5.7.0.
> 
> 
> Thanks,
> Devin

Re: meter directive

[Devin Bayer]

On 28/09/2020 04.10, Duncan Roe wrote:
> 
> Hi Davin,

Thanks for the reply Duncan.

> a) from b):
>> Note that the meter keyword is obsolete, the dynamic set and map syntax is now preferred for consistency.

I see. In that case, I would like to update the man page to use the new 
syntax. The examples there use meter, but without any explanation.


For example the blacklist example:



	nft add rule ip filter input tcp flags syn tcp dport ssh meter flood 
size 128000 { ip saddr timeout 10s limit rate over 10/second} add 
@blackhole { ip saddr timeout 1m } drop

So would this be the set equivalent?

     set flood {
         type ipv4_addr;
         size 128000;
         flags dynamic, timeout;
         timeout 1m;
     }
     ...
     tcp flags syn tcp dport ssh \
         add @flood { ip saddr limit rate over 10/second } \
         add @blackhole { ip saddr timeout 1m } drop


Is there a map equivalent? I couldn't get anything to work.

> b) Still documented at https://wiki.nftables.org/wiki-nftables/index.php/Meters,
>     but the examples are updated to use dynamic sets.

It's quite confusing and doesn't work as described though.

> c) counters in dynamic sets are special: you get a counter for each set member.

Right - but how can I see the counters? If you look at my example I just 
see this:

	3.10.95.11 . 22 expires 14s492ms limit rate 10/second,

~ Devin

Re: meter directive

[Duncan Roe]

On Mon, Sep 28, 2020 at 12:01:52PM +0200, Devin Bayer wrote:
> On 28/09/2020 04.10, Duncan Roe wrote:
> >
> > Hi Davin,
>
> Thanks for the reply Duncan.
>
> > a) from b):
> > > Note that the meter keyword is obsolete, the dynamic set and map syntax is now preferred for consistency.
>
> I see. In that case, I would like to update the man page to use the new
> syntax. The examples there use meter, but without any explanation.
>
>
> For example the blacklist example:
>
>
>
> 	nft add rule ip filter input tcp flags syn tcp dport ssh meter flood size
> 128000 { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip
> saddr timeout 1m } drop
>
> So would this be the set equivalent?
>
>     set flood {
>         type ipv4_addr;
>         size 128000;
>         flags dynamic, timeout;
>         timeout 1m;
>     }
>     ...
>     tcp flags syn tcp dport ssh \
>         add @flood { ip saddr limit rate over 10/second } \
>         add @blackhole { ip saddr timeout 1m } drop
>
>
> Is there a map equivalent? I couldn't get anything to work.
>
> > b) Still documented at https://wiki.nftables.org/wiki-nftables/index.php/Meters,
> >     but the examples are updated to use dynamic sets.
>
> It's quite confusing and doesn't work as described though.
>
> > c) counters in dynamic sets are special: you get a counter for each set member.
>
> Right - but how can I see the counters? If you look at my example I just see
> this:
>
> 	3.10.95.11 . 22 expires 14s492ms limit rate 10/second,
>
> ~ Devin

It used to be the case with meters that you could have limit or counter but not
both.

I don't know if that is still the case with dynamic sets. If it is, you will
have to have 2 sets: 1 with limits and 1 with counters.

(counter with limit is ambiguous: do you want to count packets received or
packets accepted? Both are do-able with 2 sets).

Please post your rules that add set members if you have further questions.

Cheers ... Duncan.

Re: meter directive

[Devin Bayer]

On 28/09/2020 14.32, Duncan Roe wrote:
> 
> It used to be the case with meters that you could have limit or counter but not
> both.
> 
> I don't know if that is still the case with dynamic sets. If it is, you will
> have to have 2 sets: 1 with limits and 1 with counters.
> 
> (counter with limit is ambiguous: do you want to count packets received or
> packets accepted? Both are do-able with 2 sets).
> 
> Please post your rules that add set members if you have further questions.

I think it's clear enough in regards to sets in the manpage - I will 
submit a patch for that.



However the situation on the wiki is still unclear. It does show 
counters with limits, but for maps. However, it doesn't show how to 
create the maps or add to them.
  I try something like this:

     map flood2 {
         type ipv4_addr : counter;
         size 100000;
         flags dynamic, timeout;
         timeout 1m;
     }

     chain prerouting {
         tcp flags syn tcp dport 80 \
             add @flood2 { ip saddr limit rate over 3/minute } \
             log prefix "MAP "
     }

But no luck:


   /etc/nftables.conf:49:9-14: Error: Could not process rule: Operation 
not supported
     map flood2 {

Basically, I would like to update the wiki page so it provides workable 
examples.

~ Devin

Re: meter directive

[Pablo Neira Ayuso]

On Mon, Sep 28, 2020 at 03:00:59PM +0200, Devin Bayer wrote:
> On 28/09/2020 14.32, Duncan Roe wrote:
> > 
> > It used to be the case with meters that you could have limit or counter but not
> > both.
> > 
> > I don't know if that is still the case with dynamic sets. If it is, you will
> > have to have 2 sets: 1 with limits and 1 with counters.
> > 
> > (counter with limit is ambiguous: do you want to count packets received or
> > packets accepted? Both are do-able with 2 sets).
> > 
> > Please post your rules that add set members if you have further questions.
> 
> I think it's clear enough in regards to sets in the manpage - I will submit
> a patch for that.
> 
> However the situation on the wiki is still unclear. It does show counters
> with limits, but for maps. However, it doesn't show how to create the maps
> or add to them.
>  I try something like this:
> 
>     map flood2 {
>         type ipv4_addr : counter;
>         size 100000;
>         flags dynamic, timeout;
>         timeout 1m;
>     }
> 
>     chain prerouting {
>         tcp flags syn tcp dport 80 \
>             add @flood2 { ip saddr limit rate over 3/minute } \
>             log prefix "MAP "
>     }
> 
> But no luck:
> 
> 
>   /etc/nftables.conf:49:9-14: Error: Could not process rule: Operation not
> supported

Something like this:

table ip x {
        set flood2 {
                type ipv4_addr
                size 100000
                flags dynamic,timeout
                timeout 1m
                elements = { 150.214.188.80 expires 54s752ms limit rate 1/minute burst 1 packets }
        }

        chain output {
                type filter hook output priority filter; policy drop;
                ct state new tcp dport 80 add @flood2 { ip daddr limit rate 1/minute burst 1 packets } log prefix "test: " accept
                ct state established,related accept
        }
}

Only one stateful expression is supported a this stage, either you
have ratelimit or you have counters per elements.

Re: meter directive

[Devin Bayer]

On 28/09/2020 18.08, Pablo Neira Ayuso wrote:
 >
> Something like this:
> 
> table ip x {
>          set flood2 {
>                  type ipv4_addr
>                  size 100000
>                  flags dynamic,timeout
>                  timeout 1m
>                  elements = { 150.214.188.80 expires 54s752ms limit rate 1/minute burst 1 packets }
>          }
> 
>          chain output {
>                  type filter hook output priority filter; policy drop;
>                  ct state new tcp dport 80 add @flood2 { ip daddr limit rate 1/minute burst 1 packets } log prefix "test: " accept
>                  ct state established,related accept
>          }
> }
> 
> Only one stateful expression is supported a this stage, either you
> have ratelimit or you have counters per elements.

Thank you; I see how the set syntax works now.

How do I get the behavior like in the wiki, which uses maps?

Re: meter directive

[Pablo Neira Ayuso]

On Mon, Sep 28, 2020 at 06:12:21PM +0200, Devin Bayer wrote:
> On 28/09/2020 18.08, Pablo Neira Ayuso wrote:
> >
> > Something like this:
> > 
> > table ip x {
> >          set flood2 {
> >                  type ipv4_addr
> >                  size 100000
> >                  flags dynamic,timeout
> >                  timeout 1m
> >                  elements = { 150.214.188.80 expires 54s752ms limit rate 1/minute burst 1 packets }
> >          }
> > 
> >          chain output {
> >                  type filter hook output priority filter; policy drop;
> >                  ct state new tcp dport 80 add @flood2 { ip daddr limit rate 1/minute burst 1 packets } log prefix "test: " accept
> >                  ct state established,related accept
> >          }
> > }
> > 
> > Only one stateful expression is supported a this stage, either you
> > have ratelimit or you have counters per elements.
> 
> Thank you; I see how the set syntax works now.
> 
> How do I get the behavior like in the wiki, which uses maps?

What example are you referring to?

Re: meter directive

[Devin Bayer]

On 28/09/2020 18.21, Pablo Neira Ayuso wrote:

 > On Mon, Sep 28, 2020 at 06:12:21PM +0200, Devin Bayer wrote:

 >>

 >> How do I get the behavior like in the wiki, which uses maps?

 >

 > What example are you referring to?


https://wiki.nftables.org/wiki-nftables/index.php/Meters



% nft list map my_filter_table my_ssh_meter

table ip my_filter_table {

	map my_ssh_meter {

		type ipv4_addr . inet_service

                 size 65535

		flags dynamic,timeout

		elements = { 64.62.190.36 . 55000 expires 38s : counter packets 2 
bytes 220, 83.98.201.47 . 35460 expires 39s : counter packets 10 bytes 
5988, 172.217.7.142 . 43254 expires 46s : counter packets 1 bytes 98}

	}

}

Re: meter directive

[Pablo Neira Ayuso]

On Mon, Sep 28, 2020 at 06:26:04PM +0200, Devin Bayer wrote:
> 
> 
> On 28/09/2020 18.21, Pablo Neira Ayuso wrote:
> 
> > On Mon, Sep 28, 2020 at 06:12:21PM +0200, Devin Bayer wrote:
> 
> >>
> 
> >> How do I get the behavior like in the wiki, which uses maps?
> 
> >
> 
> > What example are you referring to?
> 
> 
> https://wiki.nftables.org/wiki-nftables/index.php/Meters
> 
> % nft list map my_filter_table my_ssh_meter
> 
> table ip my_filter_table {
> 	map my_ssh_meter {
> 		type ipv4_addr . inet_service
>               size 65535
> 		flags dynamic,timeout
> 
> 		elements = { 64.62.190.36 . 55000 expires 38s : counter packets 2 bytes
> 220, 83.98.201.47 . 35460 expires 39s : counter packets 10 bytes 5988,
> 172.217.7.142 . 43254 expires 46s : counter packets 1 bytes 98}
> 
> 	}
> 
> }

I just fixed this in the wiki.

For this example:

% nft add chain filter input {type filter hook input priority 0\;}
% nft add set filter ssh-meter { type ipv4_addr\; flags dynamic\; }
% nft add rule filter input tcp dport 22 ct state new add @ssh-meter { ip saddr limit rate 10/second } accept

The listing is:

% nft list set my_filter_table my_ssh_meter
table ip my_filter_table {
        set my_ssh_meter {
                type ipv4_addr
                size 65535
                flags dynamic
                elements = { 10.141.10.2 limit rate 10/second }
        }
}

Re: meter directive

[Eric Peterson]

Gentlemen: 

While I appreciate being cc’d on all of these emails, none of this has anything to do with me and I have only a vague idea of what you’re discussing. You can take me off the list.

Regards,

Eric Peterson
netminder@gmail.com

Sent from my iPhone

> On Sep 28, 2020, at 11:40 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>