When re-adding an existing set no error is returned
and any changed parameters are ignored.
$ nft list ruleset | tee A
table ip nat {
map m {
typeof meta mark : ip saddr
flags dynamic,timeout timeout 1h
}
}
}
$ $EDITOR $A # change timeout
grep timeout\ A
timeout 1m
$ nft -f A
$ nft list ruleset|grep timeout\
timeout 1h
Is this a bug? Is there really no alternative than to completely
zap the entire set/map?
Similar issue:
adding set bla, followed by map bla passes without error but 'map bla'
gets ignored.
On a related note, what happened to 'netfilter: nf_tables: add support
to destroy operation':
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20221028100531.58666-1-ffmancera@xxxxxxxxxx/
?
Some people are (rightfully) complaining that they need to do stupid
'add','delete' (or even add/delete/add!) games.
I don't really mind if we go with new commands (Fernandos patch), if we
change behaviour to ignore -ENOENT errors (in which case does it
makes sense to return an error...?) or if we add a nlmsg flag (kinda
inverse to NLMSG_F_EXCL), but current state is not nice at all.
