Hi Florian, On Fri, Jan 31, 2020 at 11:05:58PM +0100, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > Hi Serguei, > > > > On Thu, Jan 30, 2020 at 05:12:07PM +0000, Serguei Bezverkhi (sbezverk) wrote: > > [...] > > > > > > ! > > > ! -m recent --rcheck --seconds 10800 --reap --rsource - keywords I am looking for equivalent in nftables > > > ! > > > > > > -A KUBE-XLB-BAJ42O6WMSSB7YGA -m comment --comment "services-9837/affinity-lb-esipp-transition:" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-JAOQ4ZBNFGZ34AZ4 --mask 255.255.255.255 --rsource -j KUBE-SEP-JAOQ4ZBNFGZ34AZ4 > > > -A KUBE-XLB-BAJ42O6WMSSB7YGA -m comment --comment "services-9837/affinity-lb-esipp-transition:" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-WLHDVQTL57VBPURE --mask 255.255.255.255 --rsource -j KUBE-SEP-WLHDVQTL57VBPURE > > > -A KUBE-XLB-BAJ42O6WMSSB7YGA -m comment --comment "services-9837/affinity-lb-esipp-transition:" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-5XWCIKNI3M4MWAMU --mask 255.255.255.255 --rsource -j KUBE-SEP-5XWCIKNI3M4MWAMU > > > > There is no direct equivalent for recent extension in nftables (yet). > > Do we need one? All use cases I've seen can be handled via set infra. Me neither, but in theory there are hard to achieve (--hitcount) or even missing (--rttl) features. Support in iptables-translate would be interesting, too, but that's a different kettle of fish. :) Cheers, Phil
