Dear nft developpers. First thant you for a very nice tool, and the extremely useful wiki. I have some (probably very naive) questions about the behavior of nft, which I did not find explained in the wiki or the man page (I am using version 0.9.2). 1) [Mainly for my curiosity] When two chains with the same hook and priority are defined across different tables, how is the evaluation order determined? Is it based on the name of the table? The order in which the chains were added? 2) If I do `include config_file` and config_file defines some $variables, are these variables still defined in the including file? 3) In the man page, it is stated that "Timeout and size are mandatory" for dynamic sets (ie sets that are added to via `add/update`). However in https://wiki.nftables.org/wiki-nftables/index.php/Meters it seems like there is now a new flag `dynamic` which is not described in the man page or in https://wiki.nftables.org/wiki-nftables/index.php/Sets that allow to create a "dynamic set". I guess these sets are automatically created with a fixed size (65536?). What happens if the size is overfilled? Are the older elements or the newer ones pruned? Also in https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path there are exemples of set added to dynamically without the dynamic flag set. Is it because it is now on by default, and the constant flag has to be provided to specify a constant set? 4) Does rate limit depends on the units used? For instance is `limit rate 1/second` the same as `limit rate 60/minute`? I could imagine that in the first version, one token is removed from the bucket every second, while in the other version 60 tokens are removed every minute, so the average rate would be the same but the (default) burst different. 5) Still for sets, can a ipv6_addr set hold ipv4 adresses? This could allow something like nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr limit rate 10/second } accept to work for both ipv6 and ipv4. 6) What if instead of an ssh whitelist I wanted a blacklist. Would something like that work? % nft add set my_filter_table my_ssh_meter { type ipv4_addr\; flags dynamic \;} % nft add rule my_filter_table my_input_chain tcp dport 22 ct state new add @my_ssh_meter { ip saddr limit rate over 10/second } drop [*] % nft add rule my_filter_table my_input_chain tcp dport 22 ct state new accept I am right in interpreting the rule [*] as saying that packets over the limit are added to the dynamic ssh_meter set, and then the whole list of ip saddr from @my_ssh_meter is dropped (including old ones which were above the limit but are not anymore?). And that packets that are below the limit goes to the next rule which accept them? 7) Lets say I want to use a set to handle forwarding (from one interface $orig to the other $dest). So that instead of adding chain on a case by case basis like nft add rule inet filter forward iifname $orig oifname $dest counter accept nft add rule inet filter forward iifname $dest oifname $orig ct state related,established counter accept I could have a set `my_forward_table { type ??? . ??? \; }` [I don't know if the set type exist for interface names] nft add rule inet filter forward iifname . oifname @my_forward_table counter accept But then for the reverse rule I would need the same set `reversed`. nft add rule inet filter forward iifname . oifname @my_reversed_forward_table ct state related,established counter accept Is this possible with nft? Or even a syntax that allows to access a specific element position in a concatened set? -- Damien Robert http://www.normalesup.org/~robert/pro
