[Bug 1249] New: set update with timeout 0s removes timeout

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Apr 27 16:00:53 CEST 2018 

https://bugzilla.netfilter.org/show_bug.cgi?id=1249

            Bug ID: 1249
           Summary: set update with timeout 0s removes timeout
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: sub at ryper.org

When trying to create some rules that essentially remove an IP from a set, I
found that adding a "timeout 0s" simply removes the timeout from the ruleset
when it gets loaded. Therefore, when trying to remove the IP by hitting port
2222, it simply resets the IP to the default timeout of 10m.

Is this a bug and if so could it be fixed? If not, would it be possible to
request a "set delete" feature to be able to remove elements from a set?
(current workaround is to set timeout 1s, but this is not perfect)

-------------------------------------------
#Config file:

table inet filter {
    set test {
        type ipv4_addr
        timeout 10m
    }
    chain input {
        type filter hook input priority 0; policy accept;
        tcp dport 1111 set add ip saddr @test
        tcp dport 2222 set update ip saddr timeout 0s @test
        tcp dport 3333 set update ip saddr timeout 40s @test
    }
    ... other chains ...
}
-------------------------------------------
-------------------------------------------
# nft list ruleset -nn

table inet filter {
    set test {
        type ipv4_addr
        timeout 10m
        elements = { 127.0.0.1 expires 4m21s }
    }
    chain input {
        type filter hook input priority 0; policy accept;
        tcp dport 1111 set add ip saddr @test
        tcp dport 2222 set update ip saddr @test
        tcp dport 3333 set update ip saddr timeout 1m40s @test
    }
    ... other chains ...
}
-------------------------------------------

Thanks in advance!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180427/581723b9/attachment.html>

More information about the netfilter-buglog mailing list