On Tue, Jul 23, 2019 at 1:10 AM Fran Fitzpatrick
<[email protected]> wrote:
>
> This morning I was using the `timeout` feature of nftables, but came
> across an apparent limitation where I was not able to update an
> element in a set's timeout value unless I removed the element from the
> set.
>
> Can it be possible to handle the element timeout value without needed
> to remove it from a set?
>
> [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> timeout 1m }
> [root@fedora29 vagrant]# nft add element inet filter myset {10.0.0.1
> timeout 10m }
> [root@fedora29 vagrant]# nft list ruleset
> table inet filter {
> set myset {
> type ipv4_addr
> flags timeout
> elements = { 10.0.0.1 timeout 1m expires 59s542ms }
> }
> }
Hi,
The timeout attribute per element is designed to be created as a
constant value where the expiration is calculated and reseted to the
timeout value during an element update. I don't know exactly your use
case but what you're able to do is something like:
nft add element inet filter myset {10.0.0.1 timeout 10m }
Where the timeout would be the max reachable value, and then update
the expiration date:
nft add element inet filter myset {10.0.0.1 expires 1m }
For this, you would need an upstream kernel and nftables.
Cheers!
