On Tue, Oct 29, 2019 at 11:23:40AM +1100, Trent W. Buck wrote:
> Matt <matt-nft@xxxxxxxxxxxx> writes:
>
> > Then i add the following sample element to it:
> > /usr/sbin/nft add set ip filter_v4 my_drop \{type ipv4_addr \; flags
> > timeout \; elements=\{a.b.c.d timeout 600s \} \;\}
> >
> > All good so far, a.b.c.d is counting down as expected,
> > beginning with 10min.
> > But when I wait - say 1 minute and repeat the 'nft add set ... 600s'
> > command from above then the timer remains unchanged (?)
> > It looks as the timer cannot get changed anymore once it has been
> > initialized.
>
> I think you are right, but see this recent commit (in 0.9.2+):
>
> 24f33c7 2019-06-17 18:15 +0200 LGL
> src: enable set expiration date for set elements
>
> https://git.netfilter.org/nftables/commit/?id=24f33c7
>
> ...which sounds like there is a new (as-yet-undocumented?) keyword for
> changing (as opposed to initializing) the timeout of a set element.
>
It's "update"
I.e. use update instead of add got get timeout to reset.
Needs kernel 5.3 IIRC
Cheers ... Duncan.
