All of lore.kernel.org
 help / color / mirror / Atom feed
* nftables "stateful object" nomenclature
@ 2021-04-05 17:19 Frank Myhr
  2021-04-05 21:57 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Frank Myhr @ 2021-04-05 17:19 UTC (permalink / raw)
  To: netfilter; +Cc: Florian Westphal

Hi,

I hope a developer (Florian?) can weigh in on the following terminology 
question:

Linux kernel has in include/uapi/linux/netfilter/nf_tables.h:
#define NFT_OBJECT_UNSPEC	0
#define NFT_OBJECT_COUNTER	1
#define NFT_OBJECT_QUOTA	2
#define NFT_OBJECT_CT_HELPER	3
#define NFT_OBJECT_LIMIT	4
#define NFT_OBJECT_CONNLIMIT	5
#define NFT_OBJECT_TUNNEL	6
#define NFT_OBJECT_CT_TIMEOUT	7
#define NFT_OBJECT_SECMARK	8
#define NFT_OBJECT_CT_EXPECT	9
#define NFT_OBJECT_SYNPROXY	10
#define __NFT_OBJECT_MAX	11
#define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)

The nft man page calls only 5 of these "stateful objects":
   ct helper
   ct timeout
   ct expectation
   counter
   quota

The wiki currently calls only 2 of these "stateful objects":
   counter
   quota
I'm fairly sure these are the only two that allow "nft reset".

So my question is: which of the 10 objects currently in nf_tables.h are 
properly called "stateful objects"? I mean, they're all named objects, 
they all carry state information, they follow much (but not all) of the 
same syntax...

I'm guessing that all are "stateful objects" and the presence of "reset" 
is just a special feature of 2 of them. But I'll wait on editing wiki 
until getting confirmation / clarification.

Thanks,
Frank

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: nftables "stateful object" nomenclature
  2021-04-05 17:19 nftables "stateful object" nomenclature Frank Myhr
@ 2021-04-05 21:57 ` Pablo Neira Ayuso
  2021-04-05 23:19   ` Frank Myhr
  0 siblings, 1 reply; 3+ messages in thread
From: Pablo Neira Ayuso @ 2021-04-05 21:57 UTC (permalink / raw)
  To: Frank Myhr; +Cc: netfilter, Florian Westphal

Hi,

On Mon, Apr 05, 2021 at 01:19:47PM -0400, Frank Myhr wrote:
> Hi,
> 
> I hope a developer (Florian?) can weigh in on the following terminology
> question:
> 
> Linux kernel has in include/uapi/linux/netfilter/nf_tables.h:
> #define NFT_OBJECT_UNSPEC	0
> #define NFT_OBJECT_COUNTER	1
> #define NFT_OBJECT_QUOTA	2
> #define NFT_OBJECT_CT_HELPER	3
> #define NFT_OBJECT_LIMIT	4
> #define NFT_OBJECT_CONNLIMIT	5
> #define NFT_OBJECT_TUNNEL	6
> #define NFT_OBJECT_CT_TIMEOUT	7
> #define NFT_OBJECT_SECMARK	8
> #define NFT_OBJECT_CT_EXPECT	9
> #define NFT_OBJECT_SYNPROXY	10
> #define __NFT_OBJECT_MAX	11
> #define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)
> 
> The nft man page calls only 5 of these "stateful objects":
>   ct helper
>   ct timeout
>   ct expectation
>   counter
>   quota

ct helper, ct timeout, ct expectation, ct expect, tunnel, secmark,
synproxy do not really have an internal state. They are actually
(stateless) policy objects that can be "dereferenced" from the ruleset.

counter, quota, limit and connlimit are stateful policy objects in the
sense that they store an internal state (number of packets/bytes,
consumed quota in bytes, packets/bytes credit available in the
ratelimiter and connection counter, respectively). These objects are
updated by each packet that "hits" them.

counter and quota implement the reset command (which allows for an
atomic dump and reset of their internal state). limit and connlimit do
not, although they are stateful, I didn't find any use-case where
reset of the internal state might be useful).

The infrastructure was originally made to support for the two initial
stateful policy objects: counter and quota. Later on, it's been used
to support for more (stateful and stateless) policy objects, although
none of them do have a reset command.

> The wiki currently calls only 2 of these "stateful objects":
>   counter
>   quota
> I'm fairly sure these are the only two that allow "nft reset".
> 
> So my question is: which of the 10 objects currently in nf_tables.h are
> properly called "stateful objects"? I mean, they're all named objects, they
> all carry state information, they follow much (but not all) of the same
> syntax...

counter, quota, limit and connlimit.

> I'm guessing that all are "stateful objects" and the presence of "reset" is
> just a special feature of 2 of them. But I'll wait on editing wiki until
> getting confirmation / clarification.

reset is a command that is available to a subset of the stateful
policy objects.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: nftables "stateful object" nomenclature
  2021-04-05 21:57 ` Pablo Neira Ayuso
@ 2021-04-05 23:19   ` Frank Myhr
  0 siblings, 0 replies; 3+ messages in thread
From: Frank Myhr @ 2021-04-05 23:19 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter, Florian Westphal

On 2021/04/05 17:57, Pablo Neira Ayuso wrote:
> On Mon, Apr 05, 2021 at 01:19:47PM -0400, Frank Myhr wrote:
>> Linux kernel has in include/uapi/linux/netfilter/nf_tables.h:
>> #define NFT_OBJECT_UNSPEC	0
>> #define NFT_OBJECT_COUNTER	1
>> #define NFT_OBJECT_QUOTA	2
>> #define NFT_OBJECT_CT_HELPER	3
>> #define NFT_OBJECT_LIMIT	4
>> #define NFT_OBJECT_CONNLIMIT	5
>> #define NFT_OBJECT_TUNNEL	6
>> #define NFT_OBJECT_CT_TIMEOUT	7
>> #define NFT_OBJECT_SECMARK	8
>> #define NFT_OBJECT_CT_EXPECT	9
>> #define NFT_OBJECT_SYNPROXY	10
>> #define __NFT_OBJECT_MAX	11
>> #define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)
> 
> ct helper, ct timeout, ct expectation, ct expect, tunnel, secmark,
> synproxy do not really have an internal state. They are actually
> (stateless) policy objects that can be "dereferenced" from the ruleset.
> 
> counter, quota, limit and connlimit are stateful policy objects in the
> sense that they store an internal state (number of packets/bytes,
> consumed quota in bytes, packets/bytes credit available in the
> ratelimiter and connection counter, respectively). These objects are
> updated by each packet that "hits" them.
> 
> counter and quota implement the reset command (which allows for an
> atomic dump and reset of their internal state). limit and connlimit do
> not, although they are stateful, I didn't find any use-case where
> reset of the internal state might be useful).
> 
> The infrastructure was originally made to support for the two initial
> stateful policy objects: counter and quota. Later on, it's been used
> to support for more (stateful and stateless) policy objects, although
> none of them do have a reset command.

Thank you very much for your thorough explanation and historical 
context, Pablo!


>> The wiki currently calls only 2 of these "stateful objects":
>>    counter
>>    quota
>> I'm fairly sure these are the only two that allow "nft reset".
>>
>> So my question is: which of the 10 objects currently in nf_tables.h are
>> properly called "stateful objects"? I mean, they're all named objects, they
>> all carry state information, they follow much (but not all) of the same
>> syntax...
> 
> counter, quota, limit and connlimit.

Got it. Thanks!


> reset is a command that is available to a subset of the stateful
> policy objects.

Understood. Thanks again. I'll update the wiki accordingly.

Best regards,
Frank

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-05 23:19 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-05 17:19 nftables "stateful object" nomenclature Frank Myhr
2021-04-05 21:57 ` Pablo Neira Ayuso
2021-04-05 23:19   ` Frank Myhr

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.