On Fri, Feb 03, 2023 at 05:21:29PM +0100, Phil Sutter wrote: [...] > On Fri, Feb 03, 2023 at 04:32:01PM +0100, Pablo Neira Ayuso wrote: [...] > > I also wonder if this might cause problems with nftables and implicit > > sets, they are bound to one single lookup expression that, when gone, > > the set is released. Now you will have two expressions pointing to an > > implicit set. Same thing with implicit chains. This might get tricky > > with the transaction interface. > > While indeed two lookup expressions will refer to the same anonymous > set, only one of those expressions will ever be in use. There's no way > the kernel would switch between rule variants (or use both at the same > time). OK, but control plane will reject two lookup expressions that refer to the same anonymous set. > > iptables is rather simple representation (no sets), but nftables is > > more expressive. > > That's not true, at least ebtables' among match is implemented using > sets. :) Then better have a look at this implicit set scenario I describe above because I cannot see how this can work.
