* nftables feature request: modify set element timeout
@ 2019-07-22 17:53 Fran Fitzpatrick
2019-07-25 12:24 ` Laura Garcia
0 siblings, 1 reply; 4+ messages in thread
From: Fran Fitzpatrick @ 2019-07-22 17:53 UTC (permalink / raw)
To: netfilter-devel
This morning I was using the `timeout` feature of nftables, but came
across an apparent limitation where I was not able to update an
element in a set's timeout value unless I removed the element from the
set.
Can it be possible to handle the element timeout value without needed
to remove it from a set?
[root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
timeout 1m }
[root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
timeout 10m }
[root@fedora29 vagrant]# nft list ruleset
table inet filter {
set myset {
type ipv4_addr
flags timeout
elements = { 10.0.0.1 timeout 1m expires 59s542ms }
}
}
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: nftables feature request: modify set element timeout
2019-07-22 17:53 nftables feature request: modify set element timeout Fran Fitzpatrick
@ 2019-07-25 12:24 ` Laura Garcia
2019-08-01 14:22 ` Fran Fitzpatrick
0 siblings, 1 reply; 4+ messages in thread
From: Laura Garcia @ 2019-07-25 12:24 UTC (permalink / raw)
To: Fran Fitzpatrick; +Cc: Netfilter Development Mailing list
On Tue, Jul 23, 2019 at 1:10 AM Fran Fitzpatrick
<francis.x.fitzpatrick@gmail.com> wrote:
>
> This morning I was using the `timeout` feature of nftables, but came
> across an apparent limitation where I was not able to update an
> element in a set's timeout value unless I removed the element from the
> set.
>
> Can it be possible to handle the element timeout value without needed
> to remove it from a set?
>
> [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> timeout 1m }
> [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> timeout 10m }
> [root@fedora29 vagrant]# nft list ruleset
> table inet filter {
> set myset {
> type ipv4_addr
> flags timeout
> elements = { 10.0.0.1 timeout 1m expires 59s542ms }
> }
> }
Hi,
The timeout attribute per element is designed to be created as a
constant value where the expiration is calculated and reseted to the
timeout value during an element update. I don't know exactly your use
case but what you're able to do is something like:
nft add element inet filter myset {10.0.0.1 timeout 10m }
Where the timeout would be the max reachable value, and then update
the expiration date:
nft add element inet filter myset {10.0.0.1 expires 1m }
For this, you would need an upstream kernel and nftables.
Cheers!
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: nftables feature request: modify set element timeout
2019-07-25 12:24 ` Laura Garcia
@ 2019-08-01 14:22 ` Fran Fitzpatrick
2019-08-01 14:40 ` Laura Garcia
0 siblings, 1 reply; 4+ messages in thread
From: Fran Fitzpatrick @ 2019-08-01 14:22 UTC (permalink / raw)
To: Laura Garcia; +Cc: Netfilter Development Mailing list
Hi Laura,
How come we would need an upstream kernel patch?
It seems like this can be done in the packet path, but I want to do it
outside of the packet path. Ref:
https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path
I essentially want to update the timeout of a set element from the
userspace `nft` command.
Fran
On Thu, Jul 25, 2019 at 7:24 AM Laura Garcia <nevola@gmail.com> wrote:
>
> On Tue, Jul 23, 2019 at 1:10 AM Fran Fitzpatrick
> <francis.x.fitzpatrick@gmail.com> wrote:
> >
> > This morning I was using the `timeout` feature of nftables, but came
> > across an apparent limitation where I was not able to update an
> > element in a set's timeout value unless I removed the element from the
> > set.
> >
> > Can it be possible to handle the element timeout value without needed
> > to remove it from a set?
> >
> > [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> > timeout 1m }
> > [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> > timeout 10m }
> > [root@fedora29 vagrant]# nft list ruleset
> > table inet filter {
> > set myset {
> > type ipv4_addr
> > flags timeout
> > elements = { 10.0.0.1 timeout 1m expires 59s542ms }
> > }
> > }
>
> Hi,
>
> The timeout attribute per element is designed to be created as a
> constant value where the expiration is calculated and reseted to the
> timeout value during an element update. I don't know exactly your use
> case but what you're able to do is something like:
>
> nft add element inet filter myset {10.0.0.1 timeout 10m }
>
> Where the timeout would be the max reachable value, and then update
> the expiration date:
>
> nft add element inet filter myset {10.0.0.1 expires 1m }
>
> For this, you would need an upstream kernel and nftables.
>
> Cheers!
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-08-01 14:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-22 17:53 nftables feature request: modify set element timeout Fran Fitzpatrick
2019-07-25 12:24 ` Laura Garcia
2019-08-01 14:22 ` Fran Fitzpatrick
2019-08-01 14:40 ` Laura Garcia
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).