netfilter buglog - Oct 2023 - [Bug 1711] New: Named sets - Use flags interval and dynamic

https://bugzilla.netfilter.org/show_bug.cgi?id=1711

            Bug ID: 1711
           Summary: Named sets - Use flags interval and dynamic
           Product: nftables
           Version: 1.0.x
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: nicolasfort1988 at gmail.com

Sorry, this might be simple or stated before, but found no information or docs
regarding this requirement:

Is there any way to used named sets, with flags 'dynamic' and
'interval'?

Commands that works and generate desired named-set:

sudo nft add set ip filter FOO-1 {type ipv4_addr\; flags interval\;}
sudo nft add set ip filter FOO-2 {type ipv4_addr\; flags dynamic\;}
sudo nft add set ip filter FOO-3 {type ipv4_addr\; flags dynamic, timeout\;}

And doesn't work:
sudo nft add set ip filter FOO-4 {type ipv4_addr\; flags dynamic, interval\;}
Error: Could not process rule: Operation not supported
add set ip filter FOO-4 {type ipv4_addr; flags dynamic, interval;}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Thanks in advance

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231005/19876a9b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1711

--- Comment #1 from nicolasfort1988 at gmail.com ---
Usage:
Have one ipv4 named set, used as a whitelist, where I can:
- Predefine statically ipv4 networks: for example add internal networks
- After port knocking, add source ip address to this whitelist group

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231005/52b97948/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1711

Eric Fahlgren <evil.function at proton.me> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |evil.function at proton.me

--- Comment #2 from Eric Fahlgren <evil.function at proton.me> ---
To the best of my knowledge, interval sets are implicitly dynamic (i.e., you
can add and delete elements arbitrarily).  In order to change this behavior and
create a constant sized set, you'd state exactly that using the
"constant"
flag:

$ nft add set ip filter FOO-N '{ type ipv4_addr; flags interval, constant;
elements = { 10.0.0.0/24 } }'

And then:

$ nft add element ip filter FOO-N '{ 100.1.1.0/24 }'
Error: Could not process rule: Too many open files in system
add element ip filter FOO-N { 100.1.1.0/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Leave out "constant" and the "add element" works just fine
(as will "delete
element").

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231005/54ff63af/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1711

--- Comment #3 from nicolasfort1988 at gmail.com ---
No,interval seems not enough to be able to update set using firewall rules.

For example:

vyos at vyos:~$ sudo nft list table ip filter
table ip filter {
        set FOO-1 {
                type ipv4_addr
                flags interval
        }

        set FOO-2 {
                type ipv4_addr
                size 65535
                flags dynamic
        }

        chain FOO {
                update @FOO-2 { ip saddr }
        }
}
vyos at vyos:~$ sudo nft add rule ip filter FOO set update ip daddr @FOO-2
vyos at vyos:~$ sudo nft add rule ip filter FOO set update ip daddr @FOO-1
Error: Could not process rule: Operation not supported
add rule ip filter FOO set update ip daddr @FOO-1
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^
vyos at vyos:~$ 


As you can see, update set FOO-1 through firewall rules is not possible
(doesn't have dynamic flag), while updating set FOO-2 is allowed.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231005/b5923b32/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1711

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Named sets - Use flags      |(feature request) dynamic
                   |interval and dynamic        |named sets with intervals

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231005/0ff2bd3c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1711

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at nwl.cc

--- Comment #4 from Phil Sutter <phil at nwl.cc> ---
The cause of this is the lack of a set backend in kernel which supports both
intervals and updates from packet path.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231010/f0c4db8c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1711

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net
             Blocks|                            |1461

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/ddf3dca3/attachment.html>