Updating sets from the packet path
Jump to navigation
Jump to search
Since nftables v0.7 you can update sets from the packet path, i.e., update the content of a set based on the packets the firewall is receiving.
This usually used in combination with Element timeouts, and one of the main use cases in to create dynamic black lists or ban lists.
There are two main operations: add and update, which differs in how they modify any previous element timeout. The update command refreshes the element timeout for each packet seen, while add does not.
An example using the update operation, with timeouts, follows:
% nft add table filter
% nft add chain filter input { type filter hook input priority 0\; }
% nft add set filter myset { type inet_service\; flags timeout,dynamic\; }
% nft add rule filter input set update tcp dport timeout 60s @myset
% nft list ruleset
table ip filter {
set myset {
type inet_service
flags timeout
elements = { http expires 9s}
}
chain input {
type filter hook input priority 0; policy accept;
update @myset { tcp dport timeout 1m }
}
}
This example uses the add operation in a set without timeouts:
% nft add table filter
% nft add chain filter input { type filter hook input priority 0\; }
% nft add set filter myset { type ipv4_addr\; }
% nft add rule filter input set add ip saddr @myset
% nft list ruleset
table ip filter {
set myset {
type ipv4_addr
elements = { 1.1.1.1 }
}
chain input {
type filter hook input priority 0; policy accept;
add @myset { ip saddr }
}
}