nftables feature request: modify set element timeout

nftables feature request: modify set element timeout

[Fran Fitzpatrick]

This morning I was using the `timeout` feature of nftables, but came
across an apparent limitation where I was not able to update an
element in a set's timeout value unless I removed the element from the
set.

Can it be possible to handle the element timeout value without needed
to remove it from a set?

[root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
timeout 1m }
[root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
timeout 10m }
[root@fedora29 vagrant]# nft list ruleset
table inet filter {
        set myset {
                type ipv4_addr
                flags timeout
                elements = { 10.0.0.1 timeout 1m expires 59s542ms }
        }
}

Re: nftables feature request: modify set element timeout

[Laura Garcia]

On Tue, Jul 23, 2019 at 1:10 AM Fran Fitzpatrick
<francis.x.fitzpatrick@gmail.com> wrote:
>
> This morning I was using the `timeout` feature of nftables, but came
> across an apparent limitation where I was not able to update an
> element in a set's timeout value unless I removed the element from the
> set.
>
> Can it be possible to handle the element timeout value without needed
> to remove it from a set?
>
> [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> timeout 1m }
> [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> timeout 10m }
> [root@fedora29 vagrant]# nft list ruleset
> table inet filter {
>         set myset {
>                 type ipv4_addr
>                 flags timeout
>                 elements = { 10.0.0.1 timeout 1m expires 59s542ms }
>         }
> }

Hi,

The timeout attribute per element is designed to be created as a
constant value where the expiration is calculated and reseted to the
timeout value during an element update. I don't know exactly your use
case but what you're able to do is something like:

nft add element inet filter myset {10.0.0.1 timeout 10m }

Where the timeout would be the max reachable value, and then update
the expiration date:

nft add element inet filter myset {10.0.0.1 expires 1m }

For this, you would need an upstream kernel and nftables.

Cheers!

Re: nftables feature request: modify set element timeout

[Fran Fitzpatrick]

Hi Laura,

How come we would need an upstream kernel patch?

It seems like this can be done in the packet path, but I want to do it
outside of the packet path. Ref:
https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path

I essentially want to update the timeout of a set element from the
userspace `nft` command.

Fran

On Thu, Jul 25, 2019 at 7:24 AM Laura Garcia <nevola@gmail.com> wrote:
>
> On Tue, Jul 23, 2019 at 1:10 AM Fran Fitzpatrick
> <francis.x.fitzpatrick@gmail.com> wrote:
> >
> > This morning I was using the `timeout` feature of nftables, but came
> > across an apparent limitation where I was not able to update an
> > element in a set's timeout value unless I removed the element from the
> > set.
> >
> > Can it be possible to handle the element timeout value without needed
> > to remove it from a set?
> >
> > [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> > timeout 1m }
> > [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> > timeout 10m }
> > [root@fedora29 vagrant]# nft list ruleset
> > table inet filter {
> >         set myset {
> >                 type ipv4_addr
> >                 flags timeout
> >                 elements = { 10.0.0.1 timeout 1m expires 59s542ms }
> >         }
> > }
>
> Hi,
>
> The timeout attribute per element is designed to be created as a
> constant value where the expiration is calculated and reseted to the
> timeout value during an element update. I don't know exactly your use
> case but what you're able to do is something like:
>
> nft add element inet filter myset {10.0.0.1 timeout 10m }
>
> Where the timeout would be the max reachable value, and then update
> the expiration date:
>
> nft add element inet filter myset {10.0.0.1 expires 1m }
>
> For this, you would need an upstream kernel and nftables.
>
> Cheers!

Re: nftables feature request: modify set element timeout

[Laura Garcia]

On Thu, Aug 1, 2019 at 4:22 PM Fran Fitzpatrick
<francis.x.fitzpatrick@gmail.com> wrote:

> How come we would need an upstream kernel patch?
>

I meant that the expiration configuration is a quite new feature [0]
that requires a recent kernel.

> It seems like this can be done in the packet path, but I want to do it
> outside of the packet path. Ref:
> https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path
>

No, the expiration time can be modified outside the packet path as well.

> I essentially want to update the timeout of a set element from the
> userspace `nft` command.
>

If the expiration approach is not valid for you, then currently the
only option is deleting the element and add it with the new timeout
value.

[0] https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git/commit/?id=79ebb5bb4e38a58ca796dd242b855a4982e101d7