[Bug 1493] sets: timeout+counter

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=1493

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Kernel patch to fix the missing counters:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210116180313.16943-1-pablo@netfilter.org/

It applies to 5.11-rc, I will send a backport to request inclusion in -stable
kernels.

There is another issue, the timeout policy is not displayed when listing (only
the expiration), which results in skipping the timeout policy next time you
reload the listing, another patch:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210116182932.737-1-pablo@netfilter.org/

Until these patches get into the kernel, I can provide a workaround for you:

- Set on the dynamic flag in your set definition, this is convenient since this
specifies that the set is updated from the packet path.

    set tst {
        type ipv4_addr
        size 8
        flags timeout,dynamic
        counter
    }

- Specify counter in the set statement:

tcp dport 1111 add @tst { ip daddr timeout 5m counter }

it's kind of redundant, but it will work until kernels honor the set definition
containing the counter.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210116/ab270587/attachment.html>