bugzilla-daemon at netfilter.org
2018-Apr-27 14:00 UTC
[Bug 1249] New: set update with timeout 0s removes timeout
https://bugzilla.netfilter.org/show_bug.cgi?id=1249
Bug ID: 1249
Summary: set update with timeout 0s removes timeout
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: sub at ryper.org
When trying to create some rules that essentially remove an IP from a set, I
found that adding a "timeout 0s" simply removes the timeout from the
ruleset
when it gets loaded. Therefore, when trying to remove the IP by hitting port
2222, it simply resets the IP to the default timeout of 10m.
Is this a bug and if so could it be fixed? If not, would it be possible to
request a "set delete" feature to be able to remove elements from a
set?
(current workaround is to set timeout 1s, but this is not perfect)
-------------------------------------------
#Config file:
table inet filter {
set test {
type ipv4_addr
timeout 10m
}
chain input {
type filter hook input priority 0; policy accept;
tcp dport 1111 set add ip saddr @test
tcp dport 2222 set update ip saddr timeout 0s @test
tcp dport 3333 set update ip saddr timeout 40s @test
}
... other chains ...
}
-------------------------------------------
-------------------------------------------
# nft list ruleset -nn
table inet filter {
set test {
type ipv4_addr
timeout 10m
elements = { 127.0.0.1 expires 4m21s }
}
chain input {
type filter hook input priority 0; policy accept;
tcp dport 1111 set add ip saddr @test
tcp dport 2222 set update ip saddr @test
tcp dport 3333 set update ip saddr timeout 1m40s @test
}
... other chains ...
}
-------------------------------------------
Thanks in advance!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180427/581723b9/attachment.html>
bugzilla-daemon at netfilter.org
2018-Apr-27 14:38 UTC
[Bug 1249] set update with timeout 0s removes timeout
https://bugzilla.netfilter.org/show_bug.cgi?id=1249
rypervenche <sub at ryper.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|minor |normal
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180427/eb8ca834/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-28 22:55 UTC
[Bug 1249] set update with timeout 0s removes timeout
https://bugzilla.netfilter.org/show_bug.cgi?id=1249
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kfm at plushkava.net
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/4005689a/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-22 15:40 UTC
[Bug 1249] set update with timeout 0s removes timeout
https://bugzilla.netfilter.org/show_bug.cgi?id=1249
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I think this is what you're requesting, it's available upstream since
0.9.3
commit a87f2a2227be29cc1e91f3301cec963f02aa5178
Author: Ander Juaristi <a at juaristi.eus>
Date: Tue Jul 9 20:03:52 2019 +0200
netfilter: support for element deletion
This patch implements element deletion from ruleset.
Example:
table ip set-test {
set testset {
type ipv4_addr;
flags timeout;
}
chain outputchain {
policy accept;
type filter hook output priority filter;
delete @testset { ip saddr }
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200722/8188be61/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-22 15:41 UTC
[Bug 1249] set update with timeout 0s removes timeout
https://bugzilla.netfilter.org/show_bug.cgi?id=1249 --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- Requires Linux kernel >= 5.4 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200722/b3405bc9/attachment-0001.html>
bugzilla-daemon at netfilter.org
2020-Jul-29 22:09 UTC
[Bug 1249] set update with timeout 0s removes timeout
https://bugzilla.netfilter.org/show_bug.cgi?id=1249
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Closing, thanks for reporting.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200729/94b5ce8c/attachment.html>