Hi Laura, How come we would need an upstream kernel patch?
It seems like this can be done in the packet path, but I want to do it outside of the packet path. Ref: https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path I essentially want to update the timeout of a set element from the userspace `nft` command. Fran On Thu, Jul 25, 2019 at 7:24 AM Laura Garcia <nev...@gmail.com> wrote: > > On Tue, Jul 23, 2019 at 1:10 AM Fran Fitzpatrick > <francis.x.fitzpatr...@gmail.com> wrote: > > > > This morning I was using the `timeout` feature of nftables, but came > > across an apparent limitation where I was not able to update an > > element in a set's timeout value unless I removed the element from the > > set. > > > > Can it be possible to handle the element timeout value without needed > > to remove it from a set? > > > > [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1 > > timeout 1m } > > [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1 > > timeout 10m } > > [root@fedora29 vagrant]# nft list ruleset > > table inet filter { > > set myset { > > type ipv4_addr > > flags timeout > > elements = { 10.0.0.1 timeout 1m expires 59s542ms } > > } > > } > > Hi, > > The timeout attribute per element is designed to be created as a > constant value where the expiration is calculated and reseted to the > timeout value during an element update. I don't know exactly your use > case but what you're able to do is something like: > > nft add element inet filter myset {10.0.0.1 timeout 10m } > > Where the timeout would be the max reachable value, and then update > the expiration date: > > nft add element inet filter myset {10.0.0.1 expires 1m } > > For this, you would need an upstream kernel and nftables. > > Cheers!
