Sample Header Ad - 728x90

How does the nftables set-syntax replacement for meters work exactly?

2 votes
1 answer
728 views
linux configuration firewall nftables syntax
nftables nowadays [recommends](https://wiki.nftables.org/wiki-nftables/index.php/Meters) to use sets instead of meters when e.g. creating dynamic per-IP blacklists (example adapted from [man pages](https://manpages.debian.org/testing/nftables/nft.8.en.html) v0.98: 
set blackhole {
    type ipv4_addr
    flags dynamic
    timeout 30m
}

set flood {
    type ipv4_addr
    flags dynamic
    timeout 1m
}

ip saddr @blacklist drop

ct state new \
  add @flood { ip saddr limit rate over 10/minute } \
  add @blacklist { ip saddr } \
  drop
1. How is the execution flow of the add-statements here? The second add is only executed when the per-ip limit specified in the first add is hit, but why? Does it have something to do with whether the first add actually does anything (i.e. there is no entry in the table yet)? Or does it do some magic by looking at the set and the number of connections created so far? 2. Is the drop always executed? Or just after the second add is evaluated? Why? 3. How does the lookup table help to keep track of the limit? When I view the actual contents of the set, I don't see any counts of e.g. new connections in the last minute. Does it just store the timestamp and delegate the actual counting to the kernel? 4. Why do we need to specify the flood limit interval twice (as the set timeout and in the limit statement)? Are there use-cases where it makes sense to use two different values? 5. The [Red Hat 7 docs](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_nftables_to_limit_the_amount_of_connections) give this example for a per-IP connection limiter: nft add rule ip filter input ip protocol tcp ct state new, untracked limit rate over 10/minute add @denylist { ip saddr } This seems incorrect to me as the rate is put _before_ the add, meaning it will just add the IP to the table as soon as it hits 10 new connections/minute from _any_ IP? Pointers to docs on the actual semantics of the language are appreciated.
Asked by reijerh (31 rep)
Mar 28, 2023, 10:50 PM
Last activity: Jan 23, 2025, 12:22 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "linux"
More questions tagged "configuration"
More questions tagged "firewall"
Footer Ad - 728x90