On Fri, Feb 28, 2025 at 03:25:07PM +0100, Florian Westphal wrote:
> Michael Menge <michael.menge@xxxxxxxxxxxxxxxxxxxx> wrote:
> > i want to use a named set in nftables to to restrict outgoing http(s)
> > connections only to
> > update servers. As the update servers are behind CDNs with multiple changing
> > IPs i need
> > to automatically update the named set.
> >
> > I discovered that "reset element" was added to the nft command which should
> > enable me to reset
> > the timeout without removing the IPs already in the set, and to keep a clean
> > list of IPs.
>
> No, you can update existing element timeouts:
> nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h}
>
> reset will not affect the timeout, only quota or counters.
>
> > Fetch list of IPs, Call
> > "nft add element inet filter updatesv4 {a.b.c.d timeout 1h}" and
> > "nft reset element inet filter updatesv4 {a.b.c.d}" for each IP
> >
> > (I know that i can use multiple IPs, in the add and reset element command)
> >
> > In my test I triggered the following error:
> > ===
> > [root@mail ~]# nft add element inet filter updatesv4 {1.2.3.4 timeout 1h}
> > [root@mail ~]# nft list set inet filter updatesv4
> > table inet filter {
> > set updatesv4 {
> > type ipv4_addr
> > flags interval,timeout
> > elements = { 1.2.3.4 timeout 1h expires 59m53s324ms }
> > }
> > }
> > [root@mail ~]# nft reset element inet filter updatesv4 {1.2.3.4}
> > BUG: unhandled op 8
> > nft: evaluate.c:1734: interval_set_eval: Assertion `0' failed.
> > Aborted (core dumped)
>
> This should be the right fix, I will submit this formally later:
> diff --git a/src/evaluate.c b/src/evaluate.c
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1946,6 +1946,7 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set,
> ctx->nft->debug_mask);
> break;
> case CMD_GET:
> + case CMD_RESET:
> break;
> default:
> BUG("unhandled op %d\n", ctx->cmd->op);
Patch looks good, would you please merge this upstream?
Thanks.
