Hi,
As an nftables newbie I was a bit surprised to discover that defining a
set as static prevents adding or deleting elements not only from the
packet path but also from the nft command line:
# nft add element ip ip_filter static_set { a.b.c.d }
Error: Could not process rule: Device or resource busy
Which is easily remedied by defining the set as dynamic instead.
So now I wonder: why not define every set as dynamic? Which would allow
modification of any set's elements without having to reload the entire
firewall -- thereby preserving accumulated counters and other stateful
objects. Would performance and/or memory usage take a significant hit by
doing this?
Thanks,
Frank
