Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote:
> Is there a way to implement the following mechanism in nftables?
>
> -A PREROUTING -m set --match-set wypad src -j SET --add-set wypad src --exist --timeout 86400
> -A PREROUTING ! -i lo -p tcp -m multiport --dports *some_ports* -j SET --add-set wypad src --timeout 3600
> -A PREROUTING -m set --match-set wypad src -j DROP
>
> Basically what this does it:
>
> - when someone tries to connect to the ports in the second rule,
> his IP will be added to the ipset list with the 3600s timeout.
> - when he tries to connect for the next time within the timeout,
> the timeout gets refreshed, now with 86400s.
> - if then IP is found on the list, it gets blocked.
>
> It's really easy to set this up in the case of iptables+ipset,
> but I couldn't really figure that out with nftables. So is it
> possible to do such thing?
Should work:
table inet filter {
set test {
type ipv4_addr
size 65535
timeout 1h
}
chain input {
type filter hook input priority filter; policy accept;
ip saddr @test update @test { ip saddr timeout 1d } drop
meta iif not "lo" tcp dport { 25, 80, 443 } add @test { ip saddr } drop
}
}
