Difference between revisions of "Updating sets from the packet path"

From nftables wiki
Jump to navigation Jump to search
(create page with basic content)
 
m
 
(2 intermediate revisions by 2 users not shown)
Line 3: Line 3:
This usually used in combination with [[Element timeouts]], and one of the main use cases in to create dynamic black lists or ban lists.
This usually used in combination with [[Element timeouts]], and one of the main use cases in to create dynamic black lists or ban lists.


There are two main operations: '''add''' and '''update''', which differs in how they modify any previous element timeout.
There are two main operations: '''add''' and '''update''', which differs in how they modify any previous element timeout. The '''update''' command refreshes the element timeout for each packet seen, while '''add''' does not.


An example using the '''update''' operation, with timeouts, follows:
An example using the '''update''' operation, with timeouts, follows:
Line 10: Line 10:
  % nft add table filter
  % nft add table filter
  % nft add chain filter input { type filter hook input priority 0\; }
  % nft add chain filter input { type filter hook input priority 0\; }
  % nft add set filter myset { type inet_service\; flags timeout\; }
  % nft add set filter myset { type inet_service\; flags timeout,dynamic\; }
  % nft add rule filter input set update tcp sport timeout 60s @myset
  % nft add rule filter input set update tcp dport timeout 60s @myset
  % nft list ruleset
  % nft list ruleset
  table ip filter {
  table ip filter {
Line 22: Line 22:
         chain input {
         chain input {
                 type filter hook input priority 0; policy accept;
                 type filter hook input priority 0; policy accept;
                 set update tcp dport timeout 1m @myset
                 update @myset { tcp dport timeout 1m }
         }
         }
  }
  }
Line 43: Line 43:
         chain input {
         chain input {
                 type filter hook input priority 0; policy accept;
                 type filter hook input priority 0; policy accept;
                 set add ip saddr @myset
                 add @myset { ip saddr }
         }
         }
  }
  }
</source>
</source>

Latest revision as of 09:28, 27 February 2023

Since nftables v0.7 you can update sets from the packet path, i.e., update the content of a set based on the packets the firewall is receiving.

This usually used in combination with Element timeouts, and one of the main use cases in to create dynamic black lists or ban lists.

There are two main operations: add and update, which differs in how they modify any previous element timeout. The update command refreshes the element timeout for each packet seen, while add does not.

An example using the update operation, with timeouts, follows:

 % nft add table filter
 % nft add chain filter input { type filter hook input priority 0\; }
 % nft add set filter myset { type inet_service\; flags timeout,dynamic\; }
 % nft add rule filter input set update tcp dport timeout 60s @myset
 % nft list ruleset
 table ip filter {
        set myset {
                type inet_service
                flags timeout
                elements = { http expires 9s}
        }

        chain input {
                type filter hook input priority 0; policy accept;
                update @myset { tcp dport timeout 1m }
        }
 }

This example uses the add operation in a set without timeouts:

 % nft add table filter
 % nft add chain filter input { type filter hook input priority 0\; }
 % nft add set filter myset { type ipv4_addr\; }
 % nft add rule filter input set add ip saddr @myset
 % nft list ruleset
 table ip filter {
        set myset {
                type ipv4_addr
                elements = { 1.1.1.1 }
        }

        chain input {
                type filter hook input priority 0; policy accept;
                add @myset { ip saddr }
        }
 }