netfilter buglog - Aug 2024 - [Bug 1767] New: [Feature request] Comments in the element in the set

https://bugzilla.netfilter.org/show_bug.cgi?id=1767

            Bug ID: 1767
           Summary: [Feature request] Comments in the element in the set
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: contact at brskt.be

Hi there,

I wanted to put comments with the elements by adding them in sets to add more
context and to be able to know where the element comes from.

I found this:
https://manpages.debian.org/bullseye/nftables/nft.8.en.html#ELEMENTS
https://stackoverflow.com/a/77511273

But it seems it has not been implemented yet and need some development to do.

For example, let's use these rules:

add set netdev firewall limit_rate_6kpps { type ipv4_addr ; timeout 1s ; size
12000 ; flags timeout, dynamic ; }
add set netdev firewall limit_rate_4mbytes { type ipv4_addr ; timeout 1s ; size
12000 ; flags timeout, dynamic ; }
add set netdev firewall limit_rate { type ipv4_addr ; timeout 1m ; size 24000 ;
flags timeout, dynamic ; }

add rule netdev firewall INPUT update @limit_rate_6kpps { ip daddr limit rate
over 6000/second } add @limit_rate { ip daddr comment from_rule_6kpps }
add rule netdev firewall INPUT update @limit_rate_4mbytes { ip daddr limit rate
over 4 mbytes/second } add @limit_rate { ip daddr comment from_rule_4mbytes }


The comment used for the 'limit_rate' set will be to know from which
rule the
element has been added, if it's from the limit rate about the packets or per
byte.
So, when listing the set, it will look like:

table netdev firewall {
        set limit_rate {
                type ipv4_addr
                size 24000
                flags dynamic,timeout
                timeout 1m
                elements = { 1.2.3.4 timeout 1m expires 28s470ms comment
from_rule_6kpps,
                             5.6.7.8 timeout 1m expires 54s284ms comment
from_rule_4mbytes }
        }
}

Of course in this case, thus can also be in the json exportation and maybe used
to, if the comment is unique: add/find/delete elements, it could be for
anything if we insert the element via scripting.

Thanks in advance.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240826/cceb9a10/attachment.html>