Updating sets from the packet path

From nftables wiki
Revision as of 12:53, 4 December 2019 by Fw (talk | contribs)
Jump to navigation Jump to search

Since nftables v0.7 you can update sets from the packet path, i.e., update the content of a set based on the packets the firewall is receiving.

This usually used in combination with Element timeouts, and one of the main use cases in to create dynamic black lists or ban lists.

There are two main operations: add and update, which differs in how they modify any previous element timeout. The update command refreshes the element timeout for each packet seen, while add does not.

An example using the update operation, with timeouts, follows:

 % nft add table filter
 % nft add chain filter input { type filter hook input priority 0\; }
 % nft add set filter myset { type inet_service\; flags timeout\; }
 % nft add rule filter input set update tcp dport timeout 60s @myset
 % nft list ruleset
 table ip filter {
        set myset {
                type inet_service
                flags timeout
                elements = { http expires 9s}
        }

        chain input {
                type filter hook input priority 0; policy accept;
                update @myset { tcp dport timeout 1m }
        }
 }

This example uses the add operation in a set without timeouts:

 % nft add table filter
 % nft add chain filter input { type filter hook input priority 0\; }
 % nft add set filter myset { type ipv4_addr\; }
 % nft add rule filter input set add ip saddr @myset
 % nft list ruleset
 table ip filter {
        set myset {
                type ipv4_addr
                elements = { 1.1.1.1 }
        }

        chain input {
                type filter hook input priority 0; policy accept;
                add @myset { ip saddr }
        }
 }