Updating sets from the packet path: Difference between revisions
Jump to navigation
Jump to search
(create page with basic content) |
mNo edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
This usually used in combination with [[Element timeouts]], and one of the main use cases in to create dynamic black lists or ban lists. | This usually used in combination with [[Element timeouts]], and one of the main use cases in to create dynamic black lists or ban lists. | ||
There are two main operations: '''add''' and '''update''', which differs in how they modify any previous element timeout. | There are two main operations: '''add''' and '''update''', which differs in how they modify any previous element timeout. The '''update''' command refreshes the element timeout for each packet seen, while '''add''' does not. | ||
An example using the '''update''' operation, with timeouts, follows: | An example using the '''update''' operation, with timeouts, follows: | ||
Line 10: | Line 10: | ||
% nft add table filter | % nft add table filter | ||
% nft add chain filter input { type filter hook input priority 0\; } | % nft add chain filter input { type filter hook input priority 0\; } | ||
% nft add set filter myset { type inet_service\; flags timeout\; } | % nft add set filter myset { type inet_service\; flags timeout,dynamic\; } | ||
% nft add rule filter input set update tcp | % nft add rule filter input set update tcp dport timeout 60s @myset | ||
% nft list ruleset | % nft list ruleset | ||
table ip filter { | table ip filter { | ||
Line 22: | Line 22: | ||
chain input { | chain input { | ||
type filter hook input priority 0; policy accept; | type filter hook input priority 0; policy accept; | ||
update @myset { tcp dport timeout 1m } | |||
} | } | ||
} | } | ||
Line 43: | Line 43: | ||
chain input { | chain input { | ||
type filter hook input priority 0; policy accept; | type filter hook input priority 0; policy accept; | ||
add @myset { ip saddr } | |||
} | } | ||
} | } | ||
</source> | </source> |
Latest revision as of 09:28, 27 February 2023
Since nftables v0.7 you can update sets from the packet path, i.e., update the content of a set based on the packets the firewall is receiving.
This usually used in combination with Element timeouts, and one of the main use cases in to create dynamic black lists or ban lists.
There are two main operations: add and update, which differs in how they modify any previous element timeout. The update command refreshes the element timeout for each packet seen, while add does not.
An example using the update operation, with timeouts, follows:
% nft add table filter
% nft add chain filter input { type filter hook input priority 0\; }
% nft add set filter myset { type inet_service\; flags timeout,dynamic\; }
% nft add rule filter input set update tcp dport timeout 60s @myset
% nft list ruleset
table ip filter {
set myset {
type inet_service
flags timeout
elements = { http expires 9s}
}
chain input {
type filter hook input priority 0; policy accept;
update @myset { tcp dport timeout 1m }
}
}
This example uses the add operation in a set without timeouts:
% nft add table filter
% nft add chain filter input { type filter hook input priority 0\; }
% nft add set filter myset { type ipv4_addr\; }
% nft add rule filter input set add ip saddr @myset
% nft list ruleset
table ip filter {
set myset {
type ipv4_addr
elements = { 1.1.1.1 }
}
chain input {
type filter hook input priority 0; policy accept;
add @myset { ip saddr }
}
}