On 2019-10-22, at 09:41:56 +0200, Pablo Neira Ayuso wrote: > On Mon, Oct 21, 2019 at 10:49:20PM +0100, Jeremy Sowden wrote: > > From https://bugzilla.netfilter.org/show_bug.cgi?id=1374: > > > > Listing an entire ruleset or a table with 'nft list ...' will also > > print all elements of all set definitions within the ruleset or > > requested table. Seeing the full set contents is not often > > necessary especially when requesting to see someone's ruleset for > > help and support purposes. It would be helpful if there was an > > option/flag for the nft tool to suppress set contents when > > listing. > > > > This patch series implements the request by adding a new option: > > `-t`, `--terse`. > > Series applied, thanks Jeremy. Cheers. While I was testing this, I noticed what appears to be an error in the documentation. From the man-page: SET STATEMENT The set statement is used to dynamically add or update elements in a set from the packet path. The set setname must already exist in the given table and must have been created with the dynamic flag. Furthermore, these sets must specify both a maximum set size (to prevent memory exhaustion) and a timeout (so that number of entries in set will not grow indefinitely). The set statement can be used to e.g. create dynamic blacklists. In the following example it then defines a set as follows: nft add set ip filter blackhole \ { type ipv4_addr; flags timeout; size 65536; } There is no `dynamic` flag. In my testing, I also omitted the `dynamic` flag by accident, and inadvertently verified that it is indeed not neces- sary. AFAICT, from a far from thorough investigation, it (or rather `NFT_SET_EVAL`) is only meaningful for the anonymous sets implicitly created by meter definitions such as this from the same example: nft add rule ip filter input tcp flags syn tcp dport ssh \ meter flood size 128000 \ { ip saddr timeout 10s limit rate over 10/second } \ add @blackhole { ip saddr timeout 1m } drop Another related quirk (I've used the arp family in this example 'cause it's empty on my dev box): # nft add table arp t # nft add set arp t s \ > '{ type ipv4_addr ; size 256 ; flags dynamic,timeout; }' # nft list sets table arp t table arp t { set s { type ipv4_addr size 256 flags dynamic,timeout } } # nft list meters arp table arp t { set s { type ipv4_addr size 256 flags dynamic,timeout } } # nft list meter arp t s Error: No such file or directory list meter arp t s ^ # nft list set arp t s table arp t { set s { type ipv4_addr size 256 flags dynamic,timeout } } > BTW, not your fault, but it seems libnftables documentation is missing > an update for the (1 << 10) flag. Yes, I noticed that. I'll go back and fix it. J.
Attachment:
signature.asc
Description: PGP signature
