Add metrics collection support to nftables set-only
mode
#292
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR solves #291. It stops
crowdsec-firewall-bouncer
floodingcrowdsec-firewall-bouncer.log
by adding basic support for metrics collection toset-only
mode.As explained in #291 , it is not a perfect solution since it allows metrics collection only from one chain.
Description of changes
File changed: pkg/nftables/metrics.go
collectDroppedPackets()
to take chain name directlychain-hook
) from itcollectDroppedPackets()
tocollectDropped()
if c.setOnly
clause tocollectDropped()
to handle both the casesFurther considerations
Collecting metrics from all chains / hooks in
set-only
mode would require a way to tell the bouncer which chains are being used. This could be done with the following changes (not included in the PR)nftables_hooks
config option to contain actual chain names and the remove the use of undocumented string concatenation to createnftables
chain names from chain (basename) and hooksnftables_hooks
config option inset-only
mode to tell the bouncer from which chains to collect metrics from