Is there a way to extend the timeout of elements in an nftables set?

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Is there a way to extend the timeout of elements in an nftables set?
@ 2025-10-11 10:09 Cyrus
  2025-10-11 14:11 ` Florian Westphal
  0 siblings, 1 reply; 3+ messages in thread
From: Cyrus @ 2025-10-11 10:09 UTC (permalink / raw)
  To: netfilter

With ipsets, the timeout of an element in a set gets extended each
time you `ipset add` it. However, that doesn't happen with nftables
(v1.1.1) sets - when you `nft add` an element, the timeout is set
initially but never subsequently updated. Is there another way to do
this that I'm missing?

Regardless, I think it's worth noting that the existing behavior makes
the `nftset` functionality of dnsmasq (where it automatically adds
select resolved IPs to nftables sets) unusable for me compared to its
equivalent `ipset` functionality.

Thanks,
Cyrus

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Is there a way to extend the timeout of elements in an nftables set?
  2025-10-11 10:09 Is there a way to extend the timeout of elements in an nftables set? Cyrus
@ 2025-10-11 14:11 ` Florian Westphal
       [not found]   ` <CAEcyiz9P17KroeRMVFXrwggAF2Yzy7_uadJoQ6yZBa=07LwiXQ@mail.gmail.com>
  0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2025-10-11 14:11 UTC (permalink / raw)
  To: Cyrus; +Cc: netfilter

Cyrus <cyrusrereza@gmail.com> wrote:
> With ipsets, the timeout of an element in a set gets extended each
> time you `ipset add` it. However, that doesn't happen with nftables
> (v1.1.1) sets - when you `nft add` an element, the timeout is set
> initially but never subsequently updated. Is there another way to do
> this that I'm missing?

You can re-add with a new *expires* value:

$ nft add element t s { 1.2.3.4 timeout 2m  }
$ nft "get element t s { 1.2.3.4 }"
table ip t {
        set s {
                type ipv4_addr
                timeout 1m
                elements = { 1.2.3.4 timeout 2m expires 1m53s544ms }
        }
}
nft "add element t s { 1.2.3.4 timeout 2m expires 2m }"
$ nft "get element t s { 1.2.3.4 }"
table ip t {
        set s {
                type ipv4_addr
                timeout 1m
                elements = { 1.2.3.4 timeout 2m expires 1m58s301ms }
        }
}

^ permalink raw reply	[flat|nested] 3+ messages in thread

[parent not found: <CAEcyiz9P17KroeRMVFXrwggAF2Yzy7_uadJoQ6yZBa=07LwiXQ@mail.gmail.com>]

* Re: Is there a way to extend the timeout of elements in an nftables set?
       [not found]   ` <CAEcyiz9P17KroeRMVFXrwggAF2Yzy7_uadJoQ6yZBa=07LwiXQ@mail.gmail.com>
@ 2025-10-11 17:26     ` Cyrus
  0 siblings, 0 replies; 3+ messages in thread
From: Cyrus @ 2025-10-11 17:26 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter

Thanks Florian. I was able to get this to work on Ubuntu 24.04 but not
on Ubuntu 22.04 so it looks like something changed between nft v1.0.2
and v1.0.9. Although, interestingly, the command didn't fail on
v1.0.2, it just didn't reset the timeout.

Anyway, I now have a couple more questions:

* What is the point of the timeout flag in those `nft add element`
commands? Having both a timeout flag and an expires flag seems
redundant.
* Woudn't it make more sense if the expires value defaulted to the
timeout of the set if it isn't explicitly set on the add element call?
Otherwise, an application like dnsmasq now has to be configured with
this value or figure it out somehow.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-10-11 17:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-11 10:09 Is there a way to extend the timeout of elements in an nftables set? Cyrus
2025-10-11 14:11 ` Florian Westphal
     [not found]   ` <CAEcyiz9P17KroeRMVFXrwggAF2Yzy7_uadJoQ6yZBa=07LwiXQ@mail.gmail.com>
2025-10-11 17:26     ` Cyrus

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).