On Mon, 30 Dec 2024, at 10:57 AM, Pablo Neira Ayuso wrote:
> On Sun, Dec 29, 2024 at 06:00:36PM +0800, lilydjwg wrote:
>> I have an IPv4 set with timeout 2d, but update its elements to 4d when
>> a rule matches. It was fine until kernel is updated to 6.12.6 or 6.12.7.
>> E.g. the following snippet gives an error when importing:
>>
>> table inet blocker {
>> set spam_ips {
>> type ipv4_addr
>> size 65535
>> flags dynamic,timeout
>> timeout 2d
>> elements = { 1.2.3.4 expires 3d }
>> }
>> }
>>
>> a.nft:7:16-22: Error: Could not process rule: Numerical result out of range
>> elements = { 1.2.3.4 expires 3d }
>> ^^^^^^^
>>
>> kernel 6.10.6 worked just fine. nftables cli v1.1.1.
>>
>> Despite I can't import the set, existing elements can still be updated
>> to timeout more that 2d.
>>
>> A new bug? Or a new limitation?
>
> You have to use _timeout_ to override the default set timeout policy
> for your elements.
It would be more intuitive were the circumflex characters to indicate "expires 3d" or "3d" as being at fault.
--
Kerin Millar
