bugzilla-daemon at netfilter.org
2020-Sep-23 10:13 UTC
[Bug 1467] New: [sets] support adaptive (escalating) rule(s)
https://bugzilla.netfilter.org/show_bug.cgi?id=1467
Bug ID: 1467
Summary: [sets] support adaptive (escalating) rule(s)
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: vtolkm at gmail.com
once bug #1466 is sorted consider support for adaptive (escalating) rule(s)
based on element counters, e.g.
* if { saddr counter N } then { set element timeout } multiply by or add
timeout factor (N1)
* if { saddr counter N *|+ N1 } then lookup saddr's cidr in geoip db and
update
saddr to cidr range
* if { saddr cidr range counter N } then lookup saddr cidr range in geoip db
and update saddr to ASN
* if { saddr ASN counter N } then lookup ASN in geoip db and update saddr to
ISP's ASN range
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/6891826f/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-23 10:31 UTC
[Bug 1467] [sets] support adaptive (escalating) rule(s)
https://bugzilla.netfilter.org/show_bug.cgi?id=1467 --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- Hi, In you dialect below, counter N means bump counter whose name is N or to match packet / byte counters? If you could describe this too in natural language, I'd appreciate. I'd like to make sure I'm on the same page as you are. Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/9f7b5b52/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-23 10:51 UTC
[Bug 1467] [sets] support adaptive (escalating) rule(s)
https://bugzilla.netfilter.org/show_bug.cgi?id=1467
vtolkm at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #2 from vtolkm at gmail.com ---
Right and pardon me being obtuse as the counter syntax refers to the counting
of packets / bytes... :(
I meant indeed N to be the occurrence of a set element being updated, say:
* if saddr 'foo' being updated 3 times within the element's timeout
period then
escalate timeout period by some factor (multiply initial timeout by 1.5)
On a second thought that is probably beyond the realm of nft and more for a
daemon | script to evaluate set elements and take appropriate action.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/3ca210ca/attachment-0001.html>
Apparently Analagous Threads
- [Bug 1468] New: [netdev] dropping ether type vlan frames drops ICMPv6 type 134
- [Bug 1473] New: [log] not printing in combination with ct state and set update a/o rate limit
- [Bug 1465] New: [vmap] ct state concatenation not working
- [Bug 1472] New: [sets] global named sets that can be utilised across families
- [Bug 1483] New: v0.9.7 does not compile for arm-linux-gnueabihf