bugzilla-daemon at netfilter.org
2017-Aug-22 22:48 UTC
[Bug 1174] New: 'define' functionality not sufficient for maintaining sets and the like
https://bugzilla.netfilter.org/show_bug.cgi?id=1174 Bug ID: 1174 Summary: 'define' functionality not sufficient for maintaining sets and the like Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: netfilter at allycomm.com Objective -- define in a single location a list of ports to be used in initializing sets and in rules Result -- no "obvious" way to do this Expected -- define would either be a straight textual substitution, or would be able to accept a notation appropriate for defining sets, maps, and the like that need to be consistent across multiple uses in rule sets The following fail, in various ways when trying to use elements = { $some_ports } * define some_ports = { 80, 443 } * define some_ports = 80, 443 * define some_ports = http, https * define some_ports = 80 * define some_ports = "{ 80, 443 }" fails when trying to use elements = $some_ports * define no_ports = { } fails, as does directly using * elements = { } Agreed, can omit the elements declaration, but important: * To clearly indicate that the intended initial condition is empty * For automated script-generation tools which would otherwise need to test for and branch if there were no elements Typical context: table ip global { set forwarded_ports { type inet_service elements = { 80, 443 } } set some_ports_set { type inet_service elements = { $some_ports } } set no_forwarded_ports { type inet_service # elements = { } # fails } } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/dce2a5d8/attachment-0001.html>
bugzilla-daemon at netfilter.org
2017-Aug-22 23:17 UTC
[Bug 1174] 'define' functionality not sufficient for maintaining sets and the like
https://bugzilla.netfilter.org/show_bug.cgi?id=1174 Jeff Kletsky <netfilter at allycomm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|NEW |RESOLVED --- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> --- On re-testing this in a different context, the following appear to work: Works: ===== define some_ports = { 80, 443 } table ip global { set some_ports_set { type inet_service elements = $some_ports } } Works: ===== define some_ports = { 80, 443 } table ip global { set some_ports_set { type inet_service elements = { $some_ports } } } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/a618d9a8/attachment.html>
bugzilla-daemon at netfilter.org
2017-Aug-22 23:19 UTC
[Bug 1174] 'define' functionality not sufficient for maintaining sets and the like
https://bugzilla.netfilter.org/show_bug.cgi?id=1174 --- Comment #2 from Jeff Kletsky <netfilter at allycomm.com> --- Note that the "empty set" issue is not resolved, but much less annoying -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/5dbce3bc/attachment.html>
Maybe Matching Threads
- [Bug 1176] New: Invalid identifiers produce unhelpful error messages
- [Bug 1175] New: Document limitations on identifier names
- [Bug 1216] New: Error messaging for "interval overlaps with previous one" misidentifies location
- [Bug 1178] New: Provide better error messaging when a rule can't be executed in its context
- [Bug 1188] New: nft fails to parse own output; unable to save-restore active state