From: "U.Mutlu" <um@mutluit.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: imnozi@gmail.com, netfilter-devel@vger.kernel.org,
netfilter@vger.kernel.org
Subject: Re: [nftables/nft] nft equivalent of "ipset test"
Date: Wed, 18 Oct 2023 15:03:44 +0200 [thread overview]
Message-ID: <652FD7B0.7020405@mutluit.com> (raw)
In-Reply-To: <ZS/GZxyC4vTx3Ln2@calendula>
Pablo Neira Ayuso wrote on 10/18/23 13:49:
> On Wed, Oct 18, 2023 at 01:07:07PM +0200, U.Mutlu wrote:
> [...]
>> Lately I've extended this to make it a 2-stage: if blocked IP
>> continues sending more than x packets while in timeout of y minutes,
>> then add this attacker to the second set that has a much higher timeout of z
>> minutes.
>>
>> One additional practical benefit of this approach is that
>> now one sees the hardcore attackers grouped (they are those in set2).
>>
>> The correct managing of these two sets requires the said
>> atomicity by testing of BOTH sets before adding the IP to the first set...
>>
> You should look at nftables concatenations, you do not have to split
> this information accross two sets in nftables. For adding entries from
> packet path, have a look at dynamic sets.
>
> Two sets also means two lookups from packet path.
But as said above, I need a seperate 2nd set anyway,
to be able to see the hardcore attackers.
For example for auto-generating and filing
an Abuse Report to the abuse-address (WHOIS)
of the owning ISP of that attacker/hacker IP.
Your other suggestions make sense, indeed, but ATM
are too advanced for me; I would need some time to
learn these advanced concepts possible in current nftables.
In the meantime iptables with ipset shall suffice for my non-HA needs. :-)
Thx.
next prev parent reply other threads:[~2023-10-18 13:03 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-17 17:11 [nftables/nft] nft equivalent of "ipset test" U.Mutlu
2023-10-17 21:35 ` Florian Westphal
2023-10-17 21:55 ` U.Mutlu
2023-10-17 22:05 ` Florian Westphal
2023-10-17 22:36 ` U.Mutlu
2023-10-18 0:00 ` imnozi
2023-10-18 9:36 ` Pablo Neira Ayuso
2023-10-18 9:54 ` U.Mutlu
2023-10-18 10:00 ` Pablo Neira Ayuso
2023-10-18 11:07 ` U.Mutlu
2023-10-18 11:49 ` Pablo Neira Ayuso
2023-10-18 13:03 ` U.Mutlu [this message]
2023-10-18 14:37 ` Phil Sutter
2023-10-18 11:54 ` Kerin Millar
2023-10-18 9:23 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=652FD7B0.7020405@mutluit.com \
--to=um@mutluit.com \
--cc=imnozi@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.