On Sun, 21 Jul 2024, at 5:09 PM, Eric wrote:
> On Sunday, July 21st, 2024 at 02:58, Kerin Millar <kfm@xxxxxxxxxxxxx> wrote:
>> As far as I am aware, it is impossible to add elements in a way that merely reset their expiry times in the case that they exist
>
> 'reset element' was added in 1.0.8, but requires kernel 6.5 or later:
>
> nft add element inet xyz set_ipv4 '{ 1.0.0.1 expires 1h }'
> sleep 10
> nft reset element inet xyz set_ipv4 '{ 1.0.0.1 }'
> nft get element inet xyz set_ipv4 '{ 1.0.0.1 }'
>
> See https://bugzilla.netfilter.org/show_bug.cgi?id=1689
Thank you. Putting aside my disappointment that the terminology shall now forever be disjoint with that employed by packet path updates, it appears to be a broken feature.
# nft -v; uname -r; nft list ruleset
nftables v1.0.9 (Old Doc Yak #3)
6.6.36-1-lts
table ip filter {
set x {
type ipv4_addr
size 65536
flags dynamic,timeout
timeout 1h
elements = { 1.2.3.4 expires 57m38s723ms }
}
}
# nft 'reset element ip filter x { 1.2.3.4 }'
table ip filter {
set x {
type ipv4_addr
size 65536
flags dynamic,timeout
timeout 1h
elements = { 1.2.3.4 expires 56m37s83ms }
}
}
# nft list ruleset
table ip filter {
set x {
type ipv4_addr
size 65536
flags dynamic,timeout
timeout 1h
elements = { 1.2.3.4 expires 56m5s366ms }
}
}
Further, defining the initial timeout on a per-element basis has no impact on the proceedings here, nor does defining a new timeout and/or expires value in the course of issuing the reset command.
An additional problem with it is that it raises an error in the case that the specified element does not already exist, just as delete does. So, even if it were working as intended, it would continue to fall short of achieving feature parity with ipset(8).
--
Kerin Millar
