netfilter buglog - Aug 2017 - [Bug 1180] New: Can't create a set with both timeout and interval flags at the same time

https://bugzilla.netfilter.org/show_bug.cgi?id=1180

            Bug ID: 1180
           Summary: Can't create a set with both timeout and interval
                    flags at the same time
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: flnf at prout.be

root at ns:~# nft add set inet filter spamhaus_DROP { type ipv4_addr \; flags
interval \; size 65535 \;}
root at ns:~# nft delete set inet filter spamhaus_DROP 
root at ns:~# nft add set inet filter spamhaus_DROP { type ipv4_addr \; flags
interval, timeout \; size 65535 \;}
<cmdline>:1:1-93: Error: Could not process rule: Operation not supported
add set inet filter spamhaus_DROP { type ipv4_addr ; flags interval, timeout ;
size 65535 ;}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
root at ns:~# nft add set inet filter spamhaus_DROP { type ipv4_addr \; flags 
timeout \; size 65535 \;}
root at ns:~#

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170826/f0008e8e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1180

Karel Rericha <karel at unitednetworks.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |karel at unitednetworks.cz

--- Comment #1 from Karel Rericha <karel at unitednetworks.cz> ---
I would say this is intended (and bad, inconsistent) behaviour, elements in set
with flag interval are concatenated if possible (e.g. consequent addresses)
when added in one command, but you cant concatenate them if they have different
timeouts.

Implicit concatenating of elements in sets with flag interval is maybe good for
performance, but bad in many ways. Gonna file a bug for that.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170921/57018049/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1180

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kfm at plushkava.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/a94c127d/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1180

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.netfilter.
                   |                            |org/show_bug.cgi?id=1454

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200827/be31f595/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1180

kfm at plushkava.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1461

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/e322d0da/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1180

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Timeout support for interval sets is supported since:

commit 8d8540c4f5e03d847c004e71d6a577bf4f8c78cd
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed May 16 22:58:34 2018 +0200

    netfilter: nft_set_rbtree: add timeout support

Looking at the bug report, looks like that this was not supported at the time
of the report.

Support for timeout and interval sets is available since Linux kernel >= 4.18

Closing.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200829/f35411d2/attachment.html>