On Sun, Apr 5, 2020 at 10:26 PM Alvaro Leiva <alvaroflmiranda@xxxxxxxxx> wrote:
>
> thanks for helping me, would you care to show me a basic example, I
> have been reading the wiki and i got a bit confused, i barely know nft
> since a day ago, thanks again
>
Hi, deleting and adding a new element with timeout and expiration date
is very simple:
% nft delete element inet myfilter myset { 10.0.0.1 }
% nft add element inet myfilter myset { 10.0.0.1 timeout 7s expires 5s }
(according to the wiki example. Please check it out again, I've
completed the page)
Via packet path, please see below an example with connlimit which was
shown in the list time ago. In this case, _dynamic_ flag is set.
table ip my_filter_table {
set my_connlimit {
type ipv4_addr
size 65535
flags dynamic,timeout
timeout 10m
elements = { 10.255.255.3 expires 6m16s920ms counter
packets 1848 bytes 173538, 13.55.50.68 expires 7m7s746ms counter
packets 1 bytes 76,
216.58.199.34 expires 3m9s590ms counter
packets 2 bytes 120, 216.58.199.78 expires 8m10s1ms counter packets 1
bytes 60 }
}
chain my_output_chain {
type filter hook output priority filter; policy accept;
// reset the expiration time to the timeout from packet path every
time the same source address hits this rule
ct state new add @my_connlimit { ip daddr counter } accept
}
}
Cheers.
