[Bug 1725] New: Updating and destroying set elements

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Nov 13 16:33:12 CET 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1725

            Bug ID: 1725
           Summary: Updating and destroying set elements
           Product: nftables
           Version: 1.0.x
          Hardware: All
                OS: other
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: xnoreq at gmail.com

nftables 1.0.9
Archlinux 6.5.9-arch2-1

Currently, it does not seem to be possible to update elements for a set defined
like this:
    table ip raw {
        set BLACKLIST {
            type ipv4_addr
            size 1024
            timeout 30d
        }
    }

with something like:
    nft update element ip raw BLACKLIST '{ a.b.c.d timeout 10s }'

Instead, a hack like this is required:
    nft add element ip raw BLACKLIST '{ a.b.c.d }'
    nft delete element ip raw BLACKLIST '{ a.b.c.d }'
    nft add element ip raw BLACKLIST '{ a.b.c.d timeout 10s }'

The delete is required such that the add can set the updated timeout.
The first add is necessary to prevent delete from failing in case the element
did not exist before.

Can we have an update command please? That would make this a lot easier.


Also, there seems to be a "destroy" for entire sets. Imo, it would also make
sense to have the same for set elements, like so:
    nft destroy element ip raw BLACKLIST '{ a.b.c.d }'


Interestingly, in chapter SETS the man page specifies
    {add | delete | destroy} element
but this fails if the element does not exist:
    nft destroy element ip raw BLACKLIST '{ a.b.c.d }'
    Error: Could not process rule: No such file or directory
    destroy element ip raw BLACKLIST { a.b.c.d }
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

In the chapter elements the man page specifies
    {add | create | delete | destroy | get | reset } element
but does not describe most of these operations.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231113/291c9953/attachment.html>

More information about the netfilter-buglog mailing list