On Saturday, October 8th, 2022 at 21:39, Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
> Firstly, for reasons of efficiency and atomicity, you should compose a command stream that is executed once by nft(8). Here is one example of how to go about it.
>
> {
> echo "add element ip filter doh_ipv4 {"
> curl https://some/ip4.list | paste -d, -s -
> echo "}"
> } | nft -f -
Thanks for that. An earlier version of my script built a single blob command similar in function to that, but I stripped it down in my email examples for clarity. I will cherry pick your example and clean up my code.
> As you pointed out, there does not appear to be any way to "update" other than in the packet path. One applicable kludge would be to enable auto-merge, along with the interval flag.
>
> table ip filter doh_ipv4 {
> type ipv4_addr
> flags interval,timeout
> counter
> auto-merge
> timeout 3d
> }
>
> Given such a set, re-adding an existing /32 will reset the timeout to 3d (the timeout need not be specified by the add element command). Unfortunately, its counters will be reset to 0 also, so this method confers no advantage over keeping the set as it currently stands and, instead, incorporating a flush command into the stream conveyed to nft(8).
Aha, I hadn't realized that you could use intervals with auto-merge like that, this does open up some possibilities.
> In summary, I think that nftables would need to be changed in order to support your use case, and that it ought to be.
Yeah, it seems to me that this is simply an oversight.
My current experiments are playing with adding a dummy rule, updating via the in-path solution via a netcat packet, then deleting the rule. We'll see how it goes.
nft add rule ... upd dport 12345 update @doh_ipv4 { ip daddr expires 3d } drop
for ip...
nc -4 -u $ip 12345
nft delete rule ...
Eric
