ct: add average bytes per packet counter support

Similar to connbytes extension in iptables, now you can use it to match
average bytes per packet a connection has transferred so far.

For example, match avgpkt in "BOTH" diretion:
  # nft add rule x y ct avgpkt \> 100

Match avgpkt in reply direction:
  # nft add rule x y ct reply avgpkt \< 900

Or match avgpkt in original direction:
  # nft add rule x y ct original avgpkt \> 200

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/nft.xml b/doc/nft.xml
index 8026d85fa53474e57892cb0dd40973df89761458..a421278440ed79bd46eacb89a89a7951427137bd 100644 (file)
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2112,9 +2112,9 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1
                        </para>
                        <para>
                                There are three types of conntrack expressions. Some conntrack expressions require the flow
-                               direction before the conntrack key, others must be used directly because they are
-                               direction agnostic.  The <command>packets<command> and </command>bytes</command> keywords can be used
-                               with or without a direction.  If the direction is omitted, the sum of the original and the reply
+                               direction before the conntrack key, others must be used directly because they are direction agnostic.
+                               The <command>packets</command>, <command>bytes</command> and <command>avgpkt</command> keywords can be
+                               used with or without a direction. If the direction is omitted, the sum of the original and the reply
                                direction is returned.
                        </para>
                        <para>
@@ -2132,6 +2132,7 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1
                                                <arg>protocol</arg>
                                                <arg>bytes</arg>
                                                <arg>packets</arg>
+                                               <arg>avgpkt</arg>
                                        </group>
                                </cmdsynopsis>
                                <cmdsynopsis>
@@ -2149,6 +2150,7 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1
                                                <arg>proto-dst</arg>
                                                <arg>bytes</arg>
                                                <arg>packets</arg>
+                                               <arg>avgpkt</arg>
                                        </group>
                                </cmdsynopsis>
                        </para>
@@ -2242,6 +2244,11 @@ inet filter meta nfproto ipv6 output rt nexthop fd00::1
                                                                <entry>bytecount seen, see description for <command>packets</command> keyword</entry>
                                                                <entry>integer (64 bit)</entry>
                                                        </row>
+                                                       <row>
+                                                               <entry>avgpkt</entry>
+                                                               <entry>average bytes per packet, see description for <command>packets</command> keyword</entry>
+                                                               <entry>integer (64 bit)</entry>
+                                                       </row>
                                                </tbody>
                                        </tgroup>
                                </table>

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 881d49e94569648d2f735e81b34fa567627f3019..b00a05d1ee566f18ff07fc6a2cf73643081b87af 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -860,6 +860,10 @@ enum nft_rt_attributes {
  * @NFT_CT_PROTOCOL: conntrack layer 4 protocol
  * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
  * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination
+ * @NFT_CT_LABELS: conntrack labels
+ * @NFT_CT_PKTS: conntrack packets
+ * @NFT_CT_BYTES: conntrack bytes
+ * @NFT_CT_AVGPKT: conntrack average bytes per packet
  */
 enum nft_ct_keys {
        NFT_CT_STATE,
@@ -878,6 +882,7 @@ enum nft_ct_keys {
        NFT_CT_LABELS,
        NFT_CT_PKTS,
        NFT_CT_BYTES,
+       NFT_CT_AVGPKT,
 };
 
 /**

diff --git a/src/ct.c b/src/ct.c
index d0792890a9741c889e0d980526df8fbfd9cf6570..31c7a4b1beda2624bb79b4208becaedbeefb8734 100644 (file)
--- a/src/ct.c
+++ b/src/ct.c
@@ -232,6 +232,8 @@ static const struct ct_template ct_templates[] = {
                                              BYTEORDER_HOST_ENDIAN, 64),
        [NFT_CT_PKTS]           = CT_TEMPLATE("packets", &integer_type,
                                              BYTEORDER_HOST_ENDIAN, 64),
+       [NFT_CT_AVGPKT]         = CT_TEMPLATE("avgpkt", &integer_type,
+                                             BYTEORDER_HOST_ENDIAN, 64),
 };
 
 static void ct_expr_print(const struct expr *expr)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index be662e4d5b4eb6dc92e36fed19368669a27a95be..4749c9fa8730889cb28c8376da138aa599cfdd1d 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -362,6 +362,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token NAME                    "name"
 %token PACKETS                 "packets"
 %token BYTES                   "bytes"
+%token AVGPKT                  "avgpkt"
 
 %token COUNTERS                        "counters"
 %token QUOTAS                  "quotas"
@@ -2945,6 +2946,7 @@ ct_key_dir                :       SADDR           { $$ = NFT_CT_SRC; }
 
 ct_key_counters                :       BYTES           { $$ = NFT_CT_BYTES; }
                        |       PACKETS         { $$ = NFT_CT_PKTS; }
+                       |       AVGPKT          { $$ = NFT_CT_AVGPKT; }
                        ;
 
 ct_stmt                        :       CT      ct_key          SET     expr

diff --git a/src/scanner.l b/src/scanner.l
index 6b441b543efe2ae2af9477c0354c1e69ed37a7e5..d0d25ea946009ee724b022af30fa9060a4057b3c 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -294,6 +294,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 "name"                 { return NAME; }
 "packets"              { return PACKETS; }
 "bytes"                        { return BYTES; }
+"avgpkt"               { return AVGPKT; }
 
 "counters"             { return COUNTERS; }
 "quotas"               { return QUOTAS; }

diff --git a/tests/py/any/ct.t b/tests/py/any/ct.t
index 76be185a3a0da4edf599f1d9037e51e65d480bb2..2cfbfe13ccd24bc54a15bef77fc62e837d812c8e 100644 (file)
--- a/tests/py/any/ct.t
+++ b/tests/py/any/ct.t
@@ -80,6 +80,9 @@ ct original bytes \> 100000;ok;ct original bytes > 100000
 ct reply packets \< 100;ok;ct reply packets < 100
 ct bytes \> 100000;ok;ct bytes > 100000
 
+ct avgpkt \> 200;ok;ct avgpkt > 200
+ct original avgpkt \< 500;ok;ct original avgpkt < 500
+
 # bogus direction
 ct both bytes gt 1;fail
 # nonsensical

diff --git a/tests/py/any/ct.t.payload b/tests/py/any/ct.t.payload
index 90fce9fffec430d509f91d566f1bdb66ed54e8eb..3370bcac0594b96fc2f7219b731b8b6adc5917ca 100644 (file)
--- a/tests/py/any/ct.t.payload
+++ b/tests/py/any/ct.t.payload
@@ -361,6 +361,18 @@ ip test-ip4 output
   [ byteorder reg 1 = hton(reg 1, 8, 8) ]
   [ cmp gt reg 1 0x00000000 0xa0860100 ]
 
+# ct avgpkt \> 200
+ip test-ip4 output
+  [ ct load avgpkt => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp gt reg 1 0x00000000 0xc8000000 ]
+
+# ct original avgpkt \< 500
+ip test-ip4 output
+  [ ct load avgpkt => reg 1 , dir original ]
+  [ byteorder reg 1 = hton(reg 1, 8, 8) ]
+  [ cmp lt reg 1 0x00000000 0xf4010000 ]
+
 # ct status expected,seen-reply,assured,confirmed,snat,dnat,dying
 ip test-ip4 output
   [ ct load status => reg 1 ]