5

I am trying to establish a whitelist of clients that have successfully logged into the system, using ipset. What options do I have to let an entry age so that I can later discard it based on its age?

Is there a better method than the idea outlined below?

I have not found anything provided by ipset directly, so I am trying to establish whether or not such a facility exists within the scope of ipset/iptables.

Right now the only idea I have come up with is to use a cronjob that swaps the list every X minutes or hours. So as an example I'd have a list whitelist which is active, plus a list for the next hour (say for 21:00 whistelist_21), if I am some time between 20:00 and 20:59. Any client connecting now would be added to the active whitelist and to the whitelist for next hour (or a given period). Then at each full hour (or given period) a cronjob - e.g. at 21:00 in the above case - swaps the existing whitelist for the whitelist_21 one and disposes of the (now renamed) whitelist. E.g.:

ipset swap whitelist whitelist_21
ipset destroy whitelist_21
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168

1 Answers1

4

Turns out the man page describes what I was looking for. It's aptly called timeout and can be specified when adding entries to an IP set. I missed it due to a search for wrong terms.

A default timeout value can be given when creating a set and later for each entry added - if it is desired to override the set default.

Examples from ipset(8):

ipset create test hash:ip timeout 300
ipset add test 192.168.0.1 timeout 60
ipset -exist add test 192.168.0.1 timeout 600
0xC0000022L
  • 16,189
  • 24
  • 102
  • 168