Hi, To solve this issue https://bugzilla.netfilter.org/show_bug.cgi?id=1462 I am trying to create a rule just like the one mentioned in the bug report. table inet dev { set ports_udp { type inet_service size 65536 flags dynamic,timeout timeout 30d elements = { 53 expires 29d23h58m25s672ms counter packets 35 bytes 2515, 389 expires 29d23h59m15s144ms counter packets 1 bytes 80, 515 expires 29d23h56m14s136ms counter packets 1 bytes 57, 1194 expires 29d23h58m18s460ms counter packets 2 bytes 84, 1504 expires 29d23h51m14s28ms counter packets 1 bytes 223, ... } To create the above I am doing: nft add table inet dev nft add set inet dev ports_udp { type inet_service\; size 65536\; flags dynamic, timeout\; timeout 30d\; } 1) There is no mention of the "dynamic" flag at https://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets_specifications. What does it do and how is it useful? 2) I understand this statement "53 expires 29d23h58m25s672ms counter packets 35 bytes 2515" as "This element expires in 29d23h58m25s672ms and at port 53(DNS) we have received/sent 35 packets which make a total of 2515 bytes." Is my understanding of "counter" correct? are those packets received or sent or both? And how to apply a counter to an element in a set? Thanks Gopal
