On Fri, 18 Oct 2024, at 8:30 PM, Telbat Diordna wrote: > In iptables there exists the recent module (-m recent). This gives you > the possibility to add and remove ip addresses in rulesets (usually > blocklists). The advantage of this method is, that you can allow > access via FACLs to ordinary users for selected configuration items. > E.g.: > echo +/- <ip> > /proc/net/xt_recent/<iptname> > > Looks like, that in nftables there is no recent module. How can I use > nftables in a similar way? > > Thanks for any information/link etc. That's an interesting use case (that of defining FACLs). To manipulate an nftables ruleset requires the CAP_NET_ADMIN capability. The only thing that I can think of is to write a program that would compose and dispatch the necessary set-manipulating commands through nft(8) or netlink(7), while exposing a simple command-line interface to its users. The binary could be granted the CAP_NET_ADMIN capability with the setcap(8) utility and either: a) be limited to the relevant users and/or groups with chmod and chown b) perform its own user and/or group membership checks upon execution Unfortunately, this technique cannot be applied for executable scripts (BINFMT_SCRIPT), so the binary would need to be an ELF. -- Kerin Millar