bugzilla-daemon at netfilter.org
2017-Aug-22 22:48 UTC
[Bug 1174] New: 'define' functionality not sufficient for maintaining sets and the like
https://bugzilla.netfilter.org/show_bug.cgi?id=1174
Bug ID: 1174
Summary: 'define' functionality not sufficient for
maintaining
sets and the like
Product: nftables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: netfilter at allycomm.com
Objective -- define in a single location a list of ports to be used in
initializing sets and in rules
Result -- no "obvious" way to do this
Expected -- define would either be a straight textual substitution, or would be
able to accept a notation appropriate for defining sets, maps, and the like
that need to be consistent across multiple uses in rule sets
The following fail, in various ways when trying to use
elements = { $some_ports }
* define some_ports = { 80, 443 }
* define some_ports = 80, 443
* define some_ports = http, https
* define some_ports = 80
* define some_ports = "{ 80, 443 }"
fails when trying to use
elements = $some_ports
* define no_ports = { }
fails, as does directly using
* elements = { }
Agreed, can omit the elements declaration, but important:
* To clearly indicate that the intended initial condition is empty
* For automated script-generation tools which would otherwise need to test for
and branch if there were no elements
Typical context:
table ip global {
set forwarded_ports {
type inet_service
elements = { 80, 443 }
}
set some_ports_set {
type inet_service
elements = { $some_ports }
}
set no_forwarded_ports {
type inet_service
# elements = { } # fails
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/dce2a5d8/attachment-0001.html>
bugzilla-daemon at netfilter.org
2017-Aug-22 23:17 UTC
[Bug 1174] 'define' functionality not sufficient for maintaining sets and the like
https://bugzilla.netfilter.org/show_bug.cgi?id=1174
Jeff Kletsky <netfilter at allycomm.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #1 from Jeff Kletsky <netfilter at allycomm.com> ---
On re-testing this in a different context, the following appear to work:
Works:
=====
define some_ports = { 80, 443 }
table ip global {
set some_ports_set {
type inet_service
elements = $some_ports
}
}
Works:
=====
define some_ports = { 80, 443 }
table ip global {
set some_ports_set {
type inet_service
elements = { $some_ports }
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/a618d9a8/attachment.html>
bugzilla-daemon at netfilter.org
2017-Aug-22 23:19 UTC
[Bug 1174] 'define' functionality not sufficient for maintaining sets and the like
https://bugzilla.netfilter.org/show_bug.cgi?id=1174 --- Comment #2 from Jeff Kletsky <netfilter at allycomm.com> --- Note that the "empty set" issue is not resolved, but much less annoying -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170822/5dbce3bc/attachment.html>
Maybe Matching Threads
- [Bug 1176] New: Invalid identifiers produce unhelpful error messages
- [Bug 1175] New: Document limitations on identifier names
- [Bug 1216] New: Error messaging for "interval overlaps with previous one" misidentifies location
- [Bug 1178] New: Provide better error messaging when a rule can't be executed in its context
- [Bug 1188] New: nft fails to parse own output; unable to save-restore active state