bugzilla-daemon at netfilter.org
2020-Sep-23 10:13 UTC
[Bug 1467] New: [sets] support adaptive (escalating) rule(s)
https://bugzilla.netfilter.org/show_bug.cgi?id=1467 Bug ID: 1467 Summary: [sets] support adaptive (escalating) rule(s) Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com once bug #1466 is sorted consider support for adaptive (escalating) rule(s) based on element counters, e.g. * if { saddr counter N } then { set element timeout } multiply by or add timeout factor (N1) * if { saddr counter N *|+ N1 } then lookup saddr's cidr in geoip db and update saddr to cidr range * if { saddr cidr range counter N } then lookup saddr cidr range in geoip db and update saddr to ASN * if { saddr ASN counter N } then lookup ASN in geoip db and update saddr to ISP's ASN range -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/6891826f/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-23 10:31 UTC
[Bug 1467] [sets] support adaptive (escalating) rule(s)
https://bugzilla.netfilter.org/show_bug.cgi?id=1467 --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- Hi, In you dialect below, counter N means bump counter whose name is N or to match packet / byte counters? If you could describe this too in natural language, I'd appreciate. I'd like to make sure I'm on the same page as you are. Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/9f7b5b52/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-23 10:51 UTC
[Bug 1467] [sets] support adaptive (escalating) rule(s)
https://bugzilla.netfilter.org/show_bug.cgi?id=1467 vtolkm at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX --- Comment #2 from vtolkm at gmail.com --- Right and pardon me being obtuse as the counter syntax refers to the counting of packets / bytes... :( I meant indeed N to be the occurrence of a set element being updated, say: * if saddr 'foo' being updated 3 times within the element's timeout period then escalate timeout period by some factor (multiply initial timeout by 1.5) On a second thought that is probably beyond the realm of nft and more for a daemon | script to evaluate set elements and take appropriate action. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/3ca210ca/attachment-0001.html>
Reasonably Related Threads
- [Bug 1468] New: [netdev] dropping ether type vlan frames drops ICMPv6 type 134
- [Bug 1473] New: [log] not printing in combination with ct state and set update a/o rate limit
- [Bug 1465] New: [vmap] ct state concatenation not working
- [Bug 1472] New: [sets] global named sets that can be utilised across families
- [Bug 1483] New: v0.9.7 does not compile for arm-linux-gnueabihf