Re: nft reset element crashes with error BUG: unhandled op 8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 28, 2025 at 03:25:07PM +0100, Florian Westphal wrote:
> Michael Menge <michael.menge@xxxxxxxxxxxxxxxxxxxx> wrote:
> > i want to use a named set in nftables to to restrict outgoing http(s)
> > connections only to
> > update servers. As the update servers are behind CDNs with multiple changing
> > IPs i need
> > to automatically update the named set.
> > 
> > I discovered that "reset element" was added to the nft command which should
> > enable me to reset
> > the timeout without removing the IPs already in the set, and to keep a clean
> > list of IPs.
> 
> No, you can update existing element timeouts:
> nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h}
> 
> reset will not affect the timeout, only quota or counters.
> 
> > Fetch list of IPs, Call
> > "nft add element inet filter updatesv4 {a.b.c.d timeout 1h}" and
> > "nft reset element inet filter updatesv4 {a.b.c.d}" for each IP
> > 
> > (I know that i can use multiple IPs, in the add and reset element command)
> > 
> > In my test I triggered the following error:
> > ===
> > [root@mail ~]# nft add element inet filter updatesv4 {1.2.3.4 timeout 1h}
> > [root@mail ~]# nft list set inet filter updatesv4
> > table inet filter {
> > 	set updatesv4 {
> > 		type ipv4_addr
> > 		flags interval,timeout
> > 		elements = { 1.2.3.4 timeout 1h expires 59m53s324ms }
> > 	}
> > }
> > [root@mail ~]# nft reset element inet filter updatesv4 {1.2.3.4}
> > BUG: unhandled op 8
> > nft: evaluate.c:1734: interval_set_eval: Assertion `0' failed.
> > Aborted (core dumped)
> 
> This should be the right fix, I will submit this formally later:
> diff --git a/src/evaluate.c b/src/evaluate.c
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1946,6 +1946,7 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set,
>  				 ctx->nft->debug_mask);
>  		break;
>  	case CMD_GET:
> +	case CMD_RESET:
>  		break;
>  	default:
>  		BUG("unhandled op %d\n", ctx->cmd->op);

Patch looks good, would you please merge this upstream?

Thanks.




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux