From: "U.Mutlu" <um@mutluit.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: imnozi@gmail.com, netfilter-devel@vger.kernel.org,
netfilter@vger.kernel.org
Subject: Re: [nftables/nft] nft equivalent of "ipset test"
Date: Wed, 18 Oct 2023 15:03:44 +0200 [thread overview]
Message-ID: <652FD7B0.7020405@mutluit.com> (raw)
In-Reply-To: <ZS/GZxyC4vTx3Ln2@calendula>
Pablo Neira Ayuso wrote on 10/18/23 13:49:
> On Wed, Oct 18, 2023 at 01:07:07PM +0200, U.Mutlu wrote:
> [...]
>> Lately I've extended this to make it a 2-stage: if blocked IP
>> continues sending more than x packets while in timeout of y minutes,
>> then add this attacker to the second set that has a much higher timeout of z
>> minutes.
>>
>> One additional practical benefit of this approach is that
>> now one sees the hardcore attackers grouped (they are those in set2).
>>
>> The correct managing of these two sets requires the said
>> atomicity by testing of BOTH sets before adding the IP to the first set...
>>
> You should look at nftables concatenations, you do not have to split
> this information accross two sets in nftables. For adding entries from
> packet path, have a look at dynamic sets.
>
> Two sets also means two lookups from packet path.
But as said above, I need a seperate 2nd set anyway,
to be able to see the hardcore attackers.
For example for auto-generating and filing
an Abuse Report to the abuse-address (WHOIS)
of the owning ISP of that attacker/hacker IP.
Your other suggestions make sense, indeed, but ATM
are too advanced for me; I would need some time to
learn these advanced concepts possible in current nftables.
In the meantime iptables with ipset shall suffice for my non-HA needs. :-)
Thx.
next prev parent reply other threads:[~2023-10-18 13:03 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-17 17:11 [nftables/nft] nft equivalent of "ipset test" U.Mutlu
2023-10-17 21:35 ` Florian Westphal
2023-10-17 21:55 ` U.Mutlu
2023-10-17 22:05 ` Florian Westphal
2023-10-17 22:36 ` U.Mutlu
2023-10-18 9:23 ` Pablo Neira Ayuso
[not found] ` <20231017200057.57cfce21@playground>
2023-10-18 9:36 ` Pablo Neira Ayuso
2023-10-18 9:54 ` U.Mutlu
2023-10-18 10:00 ` Pablo Neira Ayuso
2023-10-18 11:07 ` U.Mutlu
2023-10-18 11:49 ` Pablo Neira Ayuso
2023-10-18 13:03 ` U.Mutlu [this message]
2023-10-18 14:37 ` Phil Sutter
2023-10-18 11:54 ` Kerin Millar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=652FD7B0.7020405@mutluit.com \
--to=um@mutluit.com \
--cc=imnozi@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox