Re: Wiki entry on Element timeouts in NFtables

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi,

On Sat, Sep 07, 2024 at 09:23:00AM +0300, Lars Noodén wrote:
> I am unclear on the differences between 'timeout' and 'expires' as
> described in the Wiki entry¹ on Element timeouts.
> 
> If 'expires' is assigned, but no 'timeout' is given, then what happens?
> Will the entry expire regardless of whether additional matching traffic
> comes in?  Why do the two examples have 'timeout' with larger values
> than the 'expires' in  both?

From timeout perspective, there are three type of sets:

1) Sets with no timeout. Adding an element with timeout results in an
   error.

2) Sets with:

        flags timeout

   that is, set supports timeouts but no default set timeout is specified
   in the declaration, in that case, if element is added with no timeout,
   then element never times out. On the other hand, elements that time out
   need an explicit "timeout" option to be used when they are added.

   The set listing always shows "timeout" and "expires" in this case.

3) Sets with default timeout, eg.

        timeout 1h

   In this case, an element that is added with no specific timeout
   uses the default set timeout and the set listing only shows
   "expires" to remove redundant "timeout" information, because
   default set timeout is assumed.

   However, it is possible to override the default set timeout, in that
   case, if element timeout is different than the default set timeout,
   then the set listing shows again both "timeout" and "expires".

   Therefore, "expires" with no "timeout" is only possible in this case,
   because "timeout" is assumed to be the default set timeout.

> ¹ https://wiki.nftables.org/wiki-nftables/index.php/Element_timeouts