bugzilla-daemon at netfilter.org
2023-Nov-13 15:33 UTC
[Bug 1725] New: Updating and destroying set elements
https://bugzilla.netfilter.org/show_bug.cgi?id=1725 Bug ID: 1725 Summary: Updating and destroying set elements Product: nftables Version: 1.0.x Hardware: All OS: other Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: xnoreq at gmail.com nftables 1.0.9 Archlinux 6.5.9-arch2-1 Currently, it does not seem to be possible to update elements for a set defined like this: table ip raw { set BLACKLIST { type ipv4_addr size 1024 timeout 30d } } with something like: nft update element ip raw BLACKLIST '{ a.b.c.d timeout 10s }' Instead, a hack like this is required: nft add element ip raw BLACKLIST '{ a.b.c.d }' nft delete element ip raw BLACKLIST '{ a.b.c.d }' nft add element ip raw BLACKLIST '{ a.b.c.d timeout 10s }' The delete is required such that the add can set the updated timeout. The first add is necessary to prevent delete from failing in case the element did not exist before. Can we have an update command please? That would make this a lot easier. Also, there seems to be a "destroy" for entire sets. Imo, it would also make sense to have the same for set elements, like so: nft destroy element ip raw BLACKLIST '{ a.b.c.d }' Interestingly, in chapter SETS the man page specifies {add | delete | destroy} element but this fails if the element does not exist: nft destroy element ip raw BLACKLIST '{ a.b.c.d }' Error: Could not process rule: No such file or directory destroy element ip raw BLACKLIST { a.b.c.d } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In the chapter elements the man page specifies {add | create | delete | destroy | get | reset } element but does not describe most of these operations. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231113/291c9953/attachment.html>
bugzilla-daemon at netfilter.org
2023-Nov-13 19:48 UTC
[Bug 1725] Updating and destroying set elements
https://bugzilla.netfilter.org/show_bug.cgi?id=1725 --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to xnoreq from comment #0)> nftables 1.0.9 > Archlinux 6.5.9-arch2-1 > > Currently, it does not seem to be possible to update elements for a set > defined like this: > table ip raw { > set BLACKLIST { > type ipv4_addr > size 1024 > timeout 30d > } > } > > with something like: > nft update element ip raw BLACKLIST '{ a.b.c.d timeout 10s }' > > Instead, a hack like this is required: > nft add element ip raw BLACKLIST '{ a.b.c.d }' > nft delete element ip raw BLACKLIST '{ a.b.c.d }' > nft add element ip raw BLACKLIST '{ a.b.c.d timeout 10s }' > > The delete is required such that the add can set the updated timeout. > The first add is necessary to prevent delete from failing in case the > element did not exist before. > > Can we have an update command please? That would make this a lot easier.Some patches are already floating on the mailing list to allow for timeout updates.> Also, there seems to be a "destroy" for entire sets. Imo, it would also make > sense to have the same for set elements, like so: > nft destroy element ip raw BLACKLIST '{ a.b.c.d }' > > > Interestingly, in chapter SETS the man page specifies > {add | delete | destroy} element > but this fails if the element does not exist: > nft destroy element ip raw BLACKLIST '{ a.b.c.d }' > Error: Could not process rule: No such file or directory > destroy element ip raw BLACKLIST { a.b.c.d } > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > In the chapter elements the man page specifies > {add | create | delete | destroy | get | reset } element > but does not describe most of these operations.This is a kernel bug: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231113194720.123421-1-pablo at netfilter.org/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231113/afa39c52/attachment.html>
bugzilla-daemon at netfilter.org
2023-Nov-14 17:49 UTC
[Bug 1725] Updating and destroying set elements
https://bugzilla.netfilter.org/show_bug.cgi?id=1725 Eric Fahlgren <evil.function at proton.me> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |evil.function at proton.me --- Comment #2 from Eric Fahlgren <evil.function at proton.me> --- Is your 'update' command implemented by this? https://bugzilla.netfilter.org/show_bug.cgi?id=1689#c2 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231114/560d53fb/attachment.html>
bugzilla-daemon at netfilter.org
2023-Nov-14 18:53 UTC
[Bug 1725] Updating and destroying set elements
https://bugzilla.netfilter.org/show_bug.cgi?id=1725 --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Eric Fahlgren from comment #2)> Is your 'update' command implemented by this? > > https://bugzilla.netfilter.org/show_bug.cgi?id=1689#c2No. It allows for things like this: nft add element ip raw BLACKLIST '{ a.b.c.d timeout 60s }' ... after 10s, update it ... nft add element ip raw BLACKLIST '{ a.b.c.d timeout 380s }' so you can either extend or shrink a timeout. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231114/98abbf8a/attachment.html>
bugzilla-daemon at netfilter.org
2024-Sep-10 22:14 UTC
[Bug 1725] Updating and destroying set elements
https://bugzilla.netfilter.org/show_bug.cgi?id=1725 Pablo Neira Ayuso <pablo at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- Support for set element timeout updates is expected for 6.12-rc: https://marc.info/?l=netfilter-devel&m=172557888705500&w=2 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240910/d3558653/attachment.html>
Apparently Analagous Threads
- [Bug 1730] New: nft does not handle IPv6 addresses with embedded IPv4 addresses
- [Bug 1689] New: Resetting the timeout counter for a named set element
- [Bug 1140] New: nft dump invalid (flow table)
- [Bug 1431] New: flush set doesn't work as expected in script
- [Bug 1213] New: Nft stateless NAT (NOTRACK)