SpecialistOff.NET / Вопросы / Статьи / Фрагменты кода / Резюме / Метки / Помощь / Файлы

Element timeouts

Метки: nft nftables межсетевой экран

Оригинал статьи: https://wiki.nftables.org/wiki-nftables/index.php/Element_timeouts

The set infrastructure support establishing timeouts. A given timed set element has 2 attributes:

• timeout: This time value, in seconds (10s), in minutes (12m), in hours (2h) or combination of all of them (2h12m10s), does not change and will be used to reset the expires value when required.
• expires: This value is a countdown time counter which starts with the timeout value, and could be reset from the packet path or the element will be deleted when it reaches the 0 value.

Example, with per-element timeout:

% nft add table inet myfilter
% nft add set inet myfilter myset {type ipv4_addr\; flags timeout\; }
% nft add element inet myfilter myset {10.0.0.1 timeout 10s }
% nft list ruleset
table inet myfilter {
	set myset {
		type ipv4_addr
		flags timeout
		elements = { 10.0.0.1 timeout 10s expires 8s}
	}
}

timeout and expires parameters cannot be modified in this case. The element should be recreated again if you need to reset them.

% nft delete element inet myfilter myset { 10.0.0.1 }
% nft add element inet myfilter myset { 10.0.0.1 timeout 7s expires 5s }

In order to be able to reset it from packet path among other things you can use this feature by Updating sets from the packet path.