Hi Pablo,
On Tue, Apr 09, 2019 at 12:59:36PM +0200, Pablo Neira Ayuso wrote:
> Restrict this, the brackets have explicit semantics since they tell the
> kernel to represent this value as a set, which is too costly. Set for
> one single element are overkill.
>
> # nft add rule x y ct state { established } counter
> Error: anonymous set with single element makes no sense, remove brackets wrapping this value
> add rule x y ct state { established } counter
> ^^^^^^^^^^^^^^^
>
> Instead, the preferred way to express this is:
>
> # nft add rule x y ct state established counter
>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> I know this may break stuff outthere, but probably it's still early to
> fix this. If we keep allowing this and transparently turn this into a
> value, people will likely never understand the bracket semantics.
> Brackets are not just syntaxic sugar.
Your point makes sense, understanding that within a rule curly braces
are not a block delimiter but a set definition is key to getting along
with nft syntax.
OTOH I like how we radically optimize anonymous sets. This allows to
have rather "dumb" scripts and get by without a performance penalty.
Could we maybe find a middle ground where nft still does these
optimizations but prints warnings so users are notified? We might even
introduce -W flag to customize behaviour (-W all (default), -W error
(strict mode), -W none (suppress any non-fatal output on stderr)).
Just an idea, not sure if feasible.
Cheers, Phil
