Thanks a lot, Anton. It is included, indeed.
Regards,
Xavier
On Thu, 8 Feb 2024 17:59:43 +0200
Anton <anton.khazan@xxxxxxxxx> ha escrit:
> It might be included in one of the intervals, which is why grep doesn't see it.
> Try this:
>
> nft get element inet my_table badips { 198.199.104.80 }
>
>
> On Thu, Feb 8, 2024 at 5:22 PM Xavier B. <somenxavier@xxxxxxxxxx> wrote:
> >
> > Hi,
> >
> > I have an artix instance with nfttables there. I have several rules (attached file) but mainly I have a set of ip addresses I want to ban:
> >
> > table inet my_table {
> >
> > set badips {
> > type ipv4_addr
> > flags interval
> > auto-merge
> > elements = {1.0.147.18 }
> > }
> >
> > chain my_input {
> > ...
> > ip saddr @badips drop comment "[nftables] Block ban IP"
> > ...
> > }
> > ...
> > }
> >
> > Until now, when I add some new IP to my badips set, everything is fine, but today is not:
> >
> > # nft add element inet my_table badips { 198.199.104.80 }
> > # nft list ruleset | grep 198.199.104.80
> > #
> >
> > As you can see "nft list ruleset | grep 198.199.104.80" produces no output, which means that this IP is not added in badips set.
> >
> > So, I suspect nft has a theoric limit size of number of elements of a set. Is it true? Or not? If it is, what limit is that?
> >
> > Thanks in advance,
> > Xavier
>
