Thank you so much Laura !
one last thing 😬: this delete and and add operation is atomic?,
ensures that no packet would be dismissed ?
On Mon, Apr 6, 2020 at 4:13 AM Laura Garcia <nevola@xxxxxxxxx> wrote:
>
> On Sun, Apr 5, 2020 at 10:26 PM Alvaro Leiva <alvaroflmiranda@xxxxxxxxx> wrote:
> >
> > thanks for helping me, would you care to show me a basic example, I
> > have been reading the wiki and i got a bit confused, i barely know nft
> > since a day ago, thanks again
> >
>
> Hi, deleting and adding a new element with timeout and expiration date
> is very simple:
>
> % nft delete element inet myfilter myset { 10.0.0.1 }
> % nft add element inet myfilter myset { 10.0.0.1 timeout 7s expires 5s }
> (according to the wiki example. Please check it out again, I've
> completed the page)
>
> Via packet path, please see below an example with connlimit which was
> shown in the list time ago. In this case, _dynamic_ flag is set.
>
> table ip my_filter_table {
> set my_connlimit {
> type ipv4_addr
> size 65535
> flags dynamic,timeout
> timeout 10m
> elements = { 10.255.255.3 expires 6m16s920ms counter
> packets 1848 bytes 173538, 13.55.50.68 expires 7m7s746ms counter
> packets 1 bytes 76,
> 216.58.199.34 expires 3m9s590ms counter
> packets 2 bytes 120, 216.58.199.78 expires 8m10s1ms counter packets 1
> bytes 60 }
> }
>
> chain my_output_chain {
> type filter hook output priority filter; policy accept;
> // reset the expiration time to the timeout from packet path every
> time the same source address hits this rule
> ct state new add @my_connlimit { ip daddr counter } accept
> }
> }
>
> Cheers.
