On Fri, Feb 28, 2025 at 03:25:07PM +0100, Florian Westphal wrote: > Michael Menge <michael.menge@xxxxxxxxxxxxxxxxxxxx> wrote: > > i want to use a named set in nftables to to restrict outgoing http(s) > > connections only to > > update servers. As the update servers are behind CDNs with multiple changing > > IPs i need > > to automatically update the named set. > > > > I discovered that "reset element" was added to the nft command which should > > enable me to reset > > the timeout without removing the IPs already in the set, and to keep a clean > > list of IPs. > > No, you can update existing element timeouts: > nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h} > > reset will not affect the timeout, only quota or counters. > > > Fetch list of IPs, Call > > "nft add element inet filter updatesv4 {a.b.c.d timeout 1h}" and > > "nft reset element inet filter updatesv4 {a.b.c.d}" for each IP > > > > (I know that i can use multiple IPs, in the add and reset element command) > > > > In my test I triggered the following error: > > === > > [root@mail ~]# nft add element inet filter updatesv4 {1.2.3.4 timeout 1h} > > [root@mail ~]# nft list set inet filter updatesv4 > > table inet filter { > > set updatesv4 { > > type ipv4_addr > > flags interval,timeout > > elements = { 1.2.3.4 timeout 1h expires 59m53s324ms } > > } > > } > > [root@mail ~]# nft reset element inet filter updatesv4 {1.2.3.4} > > BUG: unhandled op 8 > > nft: evaluate.c:1734: interval_set_eval: Assertion `0' failed. > > Aborted (core dumped) > > This should be the right fix, I will submit this formally later: > diff --git a/src/evaluate.c b/src/evaluate.c > --- a/src/evaluate.c > +++ b/src/evaluate.c > @@ -1946,6 +1946,7 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set, > ctx->nft->debug_mask); > break; > case CMD_GET: > + case CMD_RESET: > break; > default: > BUG("unhandled op %d\n", ctx->cmd->op); Patch looks good, would you please merge this upstream? Thanks.