Brand new nth expression

I’ve been in charge of creating a new netfilter match expression that provides a nth packet counter matching but every a given value is reset. Such expression will allow to create a round robin packet matching very useful for load balancing or to emulate network failures, for example:

 ip daddr <ipsaddr> dnat nth 3 map {
         0: <ipdaddrA>,
         1: <ipdaddrB>,
         2: <ipdaddrC>

This expression is the equivalent to the nth mode of the statistic match in iptables.

In order to face this challenge, I’ve been studying how nft expressions works in both the kernel and libnftnl sides, using as a reference how expressions like nft_meta, nft_counter and nft_cmp works:

  • nft_meta was useful as a template, as the key random seems to be similar to nth. But it’s totally different for several reasons: there is no needed several operations, no required sreg registers.
  • nft_cmp was useful to pass-through a data structure from netlink to netfilter, but not too similar to what we need to build.
  • nft_counter likely the most similar code as performs counting operations SMP safe. But the counter behaves counting the packets and bytes independently in every CPU and once the user request the counter value, it operates an addition of all CPU counters to return the final result. This is not what we need from nth, as we need the last updated value.

Additionally, I’ve been inspired in the current implementation of the nth mode in the xt_statistic expression from xtables in order to operate with atomic values in order to ensures that all CPUs are synced with the last updated counter value.

From the libnftnl point of view, I’ve been inspired from the counter.c, cmp.c and meta.c expressions in order to implement the nth.c expression.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s