On 01/03/2020 16:33, jon_netfilter@xxxxxxxxxxxxxxxxx wrote:
Hi everyone!
I have been trying to transition to nftables from iptables, and I have
some questions regarding the syntax and usage of sets and their nature,
to which I could find no answers in the documentation on the nftables
wiki or the man page of my distribution (debian sid). Thanks in advance
for those reading!
I think that I can help with the first two questions, at least.
My versions:
- nftables v0.9.3 (Topsy)
- kernel 5.4.13
1) what is the most up-to-date documentation or version of the man page?
For instance, the man page at netfilter.org says it was updated on march
21 2018, and doesn't mention things like the dynamic flag for sets. I
see that there's been a commit adding an explanation for the "ct count"
expression at [1], but I don't see it included in any man page I could
find.
The asciidoc sources are here:
https://git.netfilter.org/nftables/tree/doc.
2) what does the dynamic flag for sets actually do?
In debian sid's nft man page, it says this:
> The set statement is used to dynamically add or update elements in a
set from the packet path. The set setname must already exist in the
given table and **must have been created with the dynamic flag**.
As you have deduced, this isn't true. The following commit has occured
since:
https://git.netfilter.org/nftables/commit/doc?id=dacab91
Note my emphasis. However, I've tried this, and rules which modify set
contents from "the packet path" work without having to set the dynamic
flag for the set that is used (see [2]). After some more
experimentation, it seems that the dynamic flag *is* required for using
the limit and conntrack expressions. Which brings me to my next question.
Yes, it is confusing. The general definition would be that it allows for
sets (and maps) to contain elements that are stateful objects in and as
of themselves. For instance, an element that has a timeout policy
attached would be stateful in nature.
--
Kerin Millar
