[Bug 1431] flush set doesn't work as expected in script

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=1431

--- Comment #4 from Timo Sigurdsson <public_timo.s at silentcreek.de> ---
(In reply to James Zeng from comment #3)
> My previous comment about the alternative approach to delete set - add set
> is inaccurate, it works in this kind of test but not in real world
> applications, since if the set is referenced by any rule, nft will not allow
> you to delete it.
> 
> The only workaround is flush ruleset and reload all.
> 
> I don't think this breaks atomicity though, since in the failing case, the
> set is left in previous state, not a intermittent state.

Sorry, I should have been clearer on this. What i meant is that you can flush
the set before loading your script file and that will work. You don't have to
delete the set entirely.

So, in your case:
# nft flush set ip potato potato
followed by
# nft -f b.nft
should work just fine, regardless of overlapping intervals.

But that obviously breaks atomicity, because for a short moment, your set will
be empty. Another workaround, as you pointed out, is to reload the entire
ruleset which includes the set. That may be an atomic operation but it has
other disadvantages depending on your rules. It will e.g. reset all counters
and other stateful objects such as dynamically populated sets. Depending on
your setup, you may not want that (I have a use case where reloading the entire
ruleset isn't a good option).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200714/d035138e/attachment.html>