http://wiki.nftables.org/wiki-nftables/api.php?action=feedcontributions&feedformat=atom&user=Paulobrucknftables wiki - User contributions [en]2026-04-05T18:27:17ZUser contributionsMediaWiki 1.43.6http://wiki.nftables.org/wiki-nftables/index.php?title=Sets&diff=231Sets2017-12-28T12:22:25Z<p>Paulobruck: cut and paste part of Eric Leblond to anonymous sets</p>
<hr />
<div>''nftables'' comes with a built-in generic set infrastructure that allows you to use '''any''' supported selector to build sets. This infrastructure makes possible the representation of [[dictionaries]] and [[maps]].<br />
<br />
The set elements are internally represented using performance data structures such as hashtables and red-black trees.<br />
<br />
= Anonymous sets =<br />
<br />
Anonymous sets are those that are:<br />
<br />
* Bound to a rule, if the rule is removed, that set is released too.<br />
* They have no specific name, the kernel internally allocates an identifier.<br />
* They cannot be updated. So you cannot add and delete elements from it once it is bound to a rule.<br />
<br />
The following example shows how to create a simple set.<br />
<br />
<source lang="bash"><br />
% nft add rule filter output tcp dport { 22, 23 } counter<br />
</source><br />
<br />
This rule above catches all traffic going to TCP ports 22 and 23, in case of matching the counters are updated.<br />
<br />
Eric Leblond in his [https://home.regit.org/2014/01/why-you-will-love-nftables/ Why you will love nftables] article shows a very simple example to compare iptables with nftables:<br />
<br />
<source lang="bash"><br />
ip6tables -A INPUT -p tcp -m multiport --dports 23,80,443 -j ACCEPT<br />
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT<br />
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT<br />
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT<br />
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT<br />
</source><br />
<br />
Which can be expressed in ''nftables'' with a couple of rules that provide a set:<br />
<br />
<source lang="bash"><br />
% nft add rule ip6 filter input tcp dport {telnet, http, https} accept<br />
% nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept<br />
</source><br />
<br />
= Named sets =<br />
<br />
You can create the named sets with the following command:<br />
<br />
<source lang="bash"><br />
% nft add set filter blackhole { type ipv4_addr\;}<br />
</source><br />
<br />
Note that ''blackhole'' is the name of the set in this case. The ''type'' option indicates the data type that this set stores, which is an IPv4 address in this case. Current maximum name length is 16 characters.<br />
<br />
<source lang="bash"><br />
% nft add element filter blackhole { 192.168.3.4 }<br />
% nft add element filter blackhole { 192.168.1.4, 192.168.1.5 }<br />
</source><br />
<br />
Then, you can use it from the rule:<br />
<br />
<source lang="bash"><br />
% nft add rule ip input ip saddr @blackhole drop<br />
</source><br />
<br />
Named sets can be updated anytime, so you can add and delete element from them.<br />
<br />
<br />
= Named sets specifications =<br />
<br />
Sets specifications are:<br />
<br />
* '''type''', is obligatory and determines the data type of the set elements. Supported data types currently are:<br />
** ''ipv4_addr'': IPv4 address<br />
** ''ipv6_addr'': IPv6 address.<br />
** ''ether_addr'': Ethernet address.<br />
** ''inet_proto'': Inet protocol type.<br />
** ''inet_service'': Internet service (read tcp port for example)<br />
** ''mark'': Mark type.<br />
<br />
* '''timeout''', it determines how long an element stays in the set. The time string respects the format: ''"v<sub>1</sub>dv<sub>2</sub>hv<sub>3</sub>mv<sub>4</sub>s"'':<br />
<br />
<source lang="bash"><br />
% nft add table filter<br />
% nft add set filter ports {type inet_service \; timeout 3h45s \;}<br />
</source><br />
<br />
These commands create a table named ''filter'' and add a set named ''ports'' to it, where elements are deleted after 3 hours and 45 seconds of being added.<br />
<br />
* '''flags''', the available flags are:<br />
** ''constant'' - set content may not change while bound<br />
** ''interval'' - set contains intervals<br />
** ''timeout'' - elements can be added with a timeout<br />
<br />
Multiple flags should be separated by comma:<br />
<br />
<source lang="bash"><br />
% nft add set filter flags_set {type ipv4_addr\; flags constant, interval\;}<br />
</source><br />
<br />
* '''gc-interval''', stands for garbage collection interval, can only be used if ''timeout'' or ''flags timeout'' are active. The interval follows the same format of ''timeouts'' time string ''"v<sub>1</sub>dv<sub>2</sub>hv<sub>3</sub>mv<sub>4</sub>s"''.<br />
<br />
* '''elements''', initialize the set with some elements in it:<br />
<br />
<source lang="bash"><br />
% nft add set filter daddrs {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}<br />
</source><br />
<br />
This command creates a set name ''daddrs'' with elements ''192.168.1.1'', which stays in it for 10s, and ''192.168.1.2'', which stays for 30s.<br />
<br />
* '''size''', limits the maximum number of elements of the set. To create a set with maximum 2 elements type:<br />
<br />
<source lang="bash"><br />
% nft add set filter saddrs {type ipv4_addr \; size 2 \;}<br />
</source><br />
<br />
* '''policy''', determines set selection policy. Available values are:<br />
** ''performance'' [default]<br />
** ''memory''<br />
<br />
= Listing named sets =<br />
<br />
You can list the content of a named set via:<br />
<br />
<source lang="bash"><br />
% nft list set filter myset<br />
</source></div>Paulobruck