From: Adam Kalisz <adam.kalisz@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: Ipset combined entry type like hash:ip,port,ip,port
Date: Sat, 01 Feb 2020 21:54:30 +0100 [thread overview]
Message-ID: <4eb8428ee2076540dd955f5499e8701cf29b1688.camel@gmail.com> (raw)
Hello list,
I have a use case, where I would like to save:
- src IP
- src port
- protocol
- dst IP
- dst port
- packet counter
- bytes counter
Obviously, there is obviously almost a matching type for this in ipset
hash:ip,port,ip. It just misses the destination (or source) port
depending on how you map the src and dst variables. Do I miss
something, like the possibility to concatenate entries e.g.
hash:ip,port with hash:ip,port using something like list:set? I don't
think that is the solution.
What I have is a partial workaround using two hash:ip,port,ip sets,
with one configured 'src,src,dst' and the other 'src,dst,dst' and later
combining the results - which gives the most probable quintuples.
This is less than ideal. A set in the form of hash:ip,port,ip,port
would be most helpful.
The use case is to track dynamically what client services communicated
with what server services using which protocol etc. When periodically
reading the ipset entries a reasonable monitoring of communication can
be achieved using very simple means.
The addition of entries is achieved using iptables/ nftables using:
iptables -A FORWARD -m set ! --match-set in_conn_src src,src,dst \
-j SET --add-set in_conn_src src,src,dst
which seems to be performant enough for my use case. (Is there any
advice concerning this?/ How efficient is this e.g. does it jump to
user space for the addition of an entry?)
The documentation seems to suggest that ipset add resets the counters.
This seems to be the case also for the -j SET target. Could you please
tell me, which code is responsible for the -j SET --add-set ?
I have the feeling, this could be a lot more efficient if the "addition
" of an already existing entry would result in the counters to be added
up. This would pretty much obviate the ! --match-set guard statement
(as shown above) and another rule just matching for accounting of the
other packets:
iptables -A INPUT -m set --match-set in_conn_src src,src,dst
I don't know, if there is a better way using nftables with its generic
sets? Can it also add entries without jumping to user space?
Thank you for any comments on this
Adam Kalisz
reply other threads:[~2020-02-01 20:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4eb8428ee2076540dd955f5499e8701cf29b1688.camel@gmail.com \
--to=adam.kalisz@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).