[Bug 1725] Updating and destroying set elements

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Nov 13 20:48:29 CET 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1725

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to xnoreq from comment #0)
> nftables 1.0.9
> Archlinux 6.5.9-arch2-1
> 
> Currently, it does not seem to be possible to update elements for a set
> defined like this:
>     table ip raw {
>         set BLACKLIST {
>             type ipv4_addr
>             size 1024
>             timeout 30d
>         }
>     }
> 
> with something like:
>     nft update element ip raw BLACKLIST '{ a.b.c.d timeout 10s }'
> 
> Instead, a hack like this is required:
>     nft add element ip raw BLACKLIST '{ a.b.c.d }'
>     nft delete element ip raw BLACKLIST '{ a.b.c.d }'
>     nft add element ip raw BLACKLIST '{ a.b.c.d timeout 10s }'
> 
> The delete is required such that the add can set the updated timeout.
> The first add is necessary to prevent delete from failing in case the
> element did not exist before.
> 
> Can we have an update command please? That would make this a lot easier.

Some patches are already floating on the mailing list to allow for timeout
updates.

> Also, there seems to be a "destroy" for entire sets. Imo, it would also make
> sense to have the same for set elements, like so:
>     nft destroy element ip raw BLACKLIST '{ a.b.c.d }'
> 
> 
> Interestingly, in chapter SETS the man page specifies
>     {add | delete | destroy} element
> but this fails if the element does not exist:
>     nft destroy element ip raw BLACKLIST '{ a.b.c.d }'
>     Error: Could not process rule: No such file or directory
>     destroy element ip raw BLACKLIST { a.b.c.d }
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> In the chapter elements the man page specifies
>     {add | create | delete | destroy | get | reset } element
> but does not describe most of these operations.

This is a kernel bug:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231113194720.123421-1-pablo@netfilter.org/

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231113/afa39c52/attachment.html>

More information about the netfilter-buglog mailing list