TL;DR: since v1.1 meters work slightly different
and re-add after flush won't work:
cat > repro.sh <<EOF
NFT=src/nft
ip netns add N
ip netns exec N $NFT add table filter
ip netns exec N $NFT add chain filter input '{ type filter hook input priority 0 ; }'
ip netns exec N $NFT add rule ip filter input tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop
ip netns exec N $NFT list meters
# This used to remove the anon set, but not anymore
ip netns exec N $NFT flush chain filter input
# This will now fail:
ip netns exec N $NFT add rule ip filter input tcp dport 80 meter http1 { tcp dport . ip saddr limit rate over 200/second } counter drop
ip netns del N
EOF
This is caused by:
b8f8ddff ("evaluate: translate meter into dynamic set")
Should the last rule in above example work or not?
If it should I will turn the above into a formal test case and will
work on a fix, from a quick glance it should be possible to
handle the collision if the existing set has matching key length.
Thanks,
Florian
