[Bug 1474] New: [sets] improve context checks (against already primed sets)

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=1474

            Bug ID: 1474
           Summary: [sets] improve context checks (against already primed
                    sets)
           Product: nftables
           Version: unspecified
          Hardware: arm
                OS: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: vtolkm at gmail.com

kernel 5.9.0-rc6 armv7l | nft 0.9.6
_____

With two config files, one being the main config and another one to be loaded
on a certain node condition after the main config being already in play. Both
however with rules that refer to the same named set that is being loaded
initially with the main config.

The set in question:

  set t_u {
    type inet_proto
    flags constant
    counter
    size 2
    elements = { 6, 17 }
  }

Trying to prime the secondary conf with nft -f, not flushing the main conf, it
produces:

Error: No such file or directory

It seems that NFT is checking only within the context of the secondary conf but
not against the already primed (main) conf.

Copying the named set from main conf to the secondary conf however then
produces a clash with the already primed (main) conf:

Error: Could not process rule: Resource busy

It would make sense that NFT checks not only within the context of the conf
file but also against a conf that is already primed.

The way it is now one has to generate a (redundant) set named differently to
get it working with the secondary conf.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200927/8de97ff6/attachment.html>