netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* ipset suggestion, idle-timeout
@ 2014-04-21  4:50 Shannon Wynter
  2014-04-21 19:25 ` Jozsef Kadlecsik
  0 siblings, 1 reply; 3+ messages in thread
From: Shannon Wynter @ 2014-04-21  4:50 UTC (permalink / raw)
  To: netfilter-devel

Greetings,

I would love to have an "idle timeout" for ipset

It would essentially work like the regular timeout, removing the entry 
from the set but only if no matches on the entry for the duration of the 
timeout

eg:
Add a match for 8.8.8.8 for 300 seconds.
If there is a match on 8.8.8.8 at 250 seconds then the timer is reset.
If there is no match on 8.8.8.8 for 300 then the entry is removed

I wouldn't mind having a look at this myself but don't really know the 
first thing about NF and I've already gotten lost in the source.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: ipset suggestion, idle-timeout
  2014-04-21  4:50 ipset suggestion, idle-timeout Shannon Wynter
@ 2014-04-21 19:25 ` Jozsef Kadlecsik
  2014-04-22  2:25   ` Shannon Wynter
  0 siblings, 1 reply; 3+ messages in thread
From: Jozsef Kadlecsik @ 2014-04-21 19:25 UTC (permalink / raw)
  To: Shannon Wynter; +Cc: netfilter-devel

On Mon, 21 Apr 2014, Shannon Wynter wrote:

> It would essentially work like the regular timeout, removing the entry from
> the set but only if no matches on the entry for the duration of the timeout
> 
> eg:
> Add a match for 8.8.8.8 for 300 seconds.
> If there is a match on 8.8.8.8 at 250 seconds then the timer is reset.
> If there is no match on 8.8.8.8 for 300 then the entry is removed
> 
> I wouldn't mind having a look at this myself but don't really know the first

That's equivalent with "match and re-add the element", which can easily be 
achieved with a rule like:

... -m set --match-set .... -j SET --add-set ...

(or if you need multiple actions, then jump to a proper chain).

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: ipset suggestion, idle-timeout
  2014-04-21 19:25 ` Jozsef Kadlecsik
@ 2014-04-22  2:25   ` Shannon Wynter
  0 siblings, 0 replies; 3+ messages in thread
From: Shannon Wynter @ 2014-04-22  2:25 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter-devel

On 22/04/2014 5:25 AM, Jozsef Kadlecsik wrote:
> That's equivalent with "match and re-add the element", which can easily be
> achieved with a rule like:
>
> ... -m set --match-set .... -j SET --add-set ...
>
> (or if you need multiple actions, then jump to a proper chain).
>
> Best regards,
> Jozsef
>
Brilliant, my apologies, I've been using ipset for ages, have even read 
the manual a few times, must have missed the bit where it was telling me 
I could use iptables to add to sets (makes sense though)

Thank you

Shannon.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-04-22  2:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-21  4:50 ipset suggestion, idle-timeout Shannon Wynter
2014-04-21 19:25 ` Jozsef Kadlecsik
2014-04-22  2:25   ` Shannon Wynter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).