This fails:
nft add table ip filter
nft add chain ip filter input '{' type filter hook input priority 0 ';' '}'
nft add set ip filter protocols '{' type inet_proto ';' '}'
nft add rule ip filter input iifname lo set add ip protocol @protocols
^^^^^^^^^^^^^^^^^^^
...as wrong set type gets chosen.
Describe dynamic flag and that sets should have both timeout and
max size set.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
doc/nft.xml | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index ef1b2c4ea161..fca277be13aa 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -1071,6 +1071,7 @@ table inet filter {
</para>
<para>
Sets are elements containers of an user-defined data type, they are uniquely identified by an user-defined name and attached to tables.
+ Their behaviour can be tuned with the <literal>flags</literal> that can be specified at set creation time.
</para>
<variablelist>
@@ -1078,7 +1079,8 @@ table inet filter {
<term><option>add</option></term>
<listitem>
<para>
- Add a new set in the specified table.
+ Add a new set in the specified table. See the <literal>Set specification</literal> table below
+ for more information about how to specify a sets properties.
</para>
</listitem>
</varlistentry>
@@ -1146,7 +1148,7 @@ table inet filter {
<row>
<entry>flags</entry>
<entry>set flags</entry>
- <entry>string: constant, interval, timeout</entry>
+ <entry>string: constant, dynamic, interval, timeout</entry>
</row>
<row>
<entry>timeout</entry>
@@ -5519,10 +5521,10 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" }
<title>Set statement</title>
<para>
The set statement is used to dynamically add or update elements in a set from the packet path.
- The set <literal>setname</literal> must already exist in the given table.
- Furthermore, any set that will be dynamically updated from the nftables ruleset must specify
- both a maximum set size (to prevent memory exhaustion) and a timeout (so that number of entries in
- set will not grow indefinitely).
+ The set <literal>setname</literal> must already exist in the given table and must have been
+ created with the <literal>dynamic</literal> flag.
+ Furthermore, these sets must specify both a maximum set size (to prevent memory exhaustion) and
+ a timeout (so that number of entries in set will not grow indefinitely).
The set statement can be used to e.g. create dynamic blacklists.
</para>
<para>
--
2.16.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
