This fails: nft add table ip filter nft add chain ip filter input '{' type filter hook input priority 0 ';' '}' nft add set ip filter protocols '{' type inet_proto ';' '}' nft add rule ip filter input iifname lo set add ip protocol @protocols ^^^^^^^^^^^^^^^^^^^ ...as wrong set type gets chosen. Describe dynamic flag and that sets should have both timeout and max size set. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- doc/nft.xml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index ef1b2c4ea161..fca277be13aa 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1071,6 +1071,7 @@ table inet filter { </para> <para> Sets are elements containers of an user-defined data type, they are uniquely identified by an user-defined name and attached to tables. + Their behaviour can be tuned with the <literal>flags</literal> that can be specified at set creation time. </para> <variablelist> @@ -1078,7 +1079,8 @@ table inet filter { <term><option>add</option></term> <listitem> <para> - Add a new set in the specified table. + Add a new set in the specified table. See the <literal>Set specification</literal> table below + for more information about how to specify a sets properties. </para> </listitem> </varlistentry> @@ -1146,7 +1148,7 @@ table inet filter { <row> <entry>flags</entry> <entry>set flags</entry> - <entry>string: constant, interval, timeout</entry> + <entry>string: constant, dynamic, interval, timeout</entry> </row> <row> <entry>timeout</entry> @@ -5519,10 +5521,10 @@ dup to ip daddr map { 192.168.7.1 : "eth0", 192.168.7.2 : "eth1" } <title>Set statement</title> <para> The set statement is used to dynamically add or update elements in a set from the packet path. - The set <literal>setname</literal> must already exist in the given table. - Furthermore, any set that will be dynamically updated from the nftables ruleset must specify - both a maximum set size (to prevent memory exhaustion) and a timeout (so that number of entries in - set will not grow indefinitely). + The set <literal>setname</literal> must already exist in the given table and must have been + created with the <literal>dynamic</literal> flag. + Furthermore, these sets must specify both a maximum set size (to prevent memory exhaustion) and + a timeout (so that number of entries in set will not grow indefinitely). The set statement can be used to e.g. create dynamic blacklists. </para> <para> -- 2.16.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html