[Bug 1431] flush set doesn't work as expected in script

Tue Jul 14 01:27:43 CEST 2020

https://bugzilla.netfilter.org/show_bug.cgi?id=1431

Timo Sigurdsson <public_timo.s at silentcreek.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |public_timo.s at silentcreek.d
                   |                            |e

--- Comment #1 from Timo Sigurdsson <public_timo.s at silentcreek.de> ---
I can confirm this is an issue. And it's actually more than just a usability
issue, it is a bug because it breaks atomicity when trying to update/reload a
set.

My test case is very simple. Assume the following set:
`nft add set inet filter testset { type ipv4_addr; flags interval; }'

Now create a script file a.nft with the following content:
  flush set inet filter testset
  add element inet filter testset { 192.168.0.0/16 }

Load the file with `nft -f a.nft' and it will work just fine.

Now create a second script file b.nft with the following content:
  flush set inet filter testset
  add element inet filter testset { 192.168.0.0/16, 172.16.0.0/12 }

Load the new file with `nft -f b.nft' and it will also just be fine.

But now take this example c.nft:
  flush set inet filter testset
  add element inet filter testset { 192.168.0.0/24, 172.16.0.0/12 }

Trying to run `nft -f c.nft' will result in the error:
  Interval overlaps with an existing one

Summing up: While you can reload an existing set if it's unchanged, or with
added or removed elements, you cannot reload a set where the extent of an
interval is changed!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200713/8b907fe7/attachment-0001.html>