On Sun, Dec 29, 2024 at 06:00:36PM +0800, lilydjwg wrote:
> I have an IPv4 set with timeout 2d, but update its elements to 4d when
> a rule matches. It was fine until kernel is updated to 6.12.6 or 6.12.7.
> E.g. the following snippet gives an error when importing:
>
> table inet blocker {
> set spam_ips {
> type ipv4_addr
> size 65535
> flags dynamic,timeout
> timeout 2d
> elements = { 1.2.3.4 expires 3d }
> }
> }
>
> a.nft:7:16-22: Error: Could not process rule: Numerical result out of range
> elements = { 1.2.3.4 expires 3d }
> ^^^^^^^
>
> kernel 6.10.6 worked just fine. nftables cli v1.1.1.
>
> Despite I can't import the set, existing elements can still be updated
> to timeout more that 2d.
>
> A new bug? Or a new limitation?
You have to use _timeout_ to override the default set timeout policy
for your elements.
Thanks
