Hi,
i want to use a named set in nftables to to restrict outgoing http(s)
connections only to
update servers. As the update servers are behind CDNs with multiple
changing IPs i need
to automatically update the named set.
I discovered that "reset element" was added to the nft command which
should enable me to reset
the timeout without removing the IPs already in the set, and to keep a
clean list of IPs.
Fetch list of IPs, Call
"nft add element inet filter updatesv4 {a.b.c.d timeout 1h}" and
"nft reset element inet filter updatesv4 {a.b.c.d}" for each IP
(I know that i can use multiple IPs, in the add and reset element command)
In my test I triggered the following error:
===
[root@mail ~]# nft add element inet filter updatesv4 {1.2.3.4 timeout 1h}
[root@mail ~]# nft list set inet filter updatesv4
table inet filter {
set updatesv4 {
type ipv4_addr
flags interval,timeout
elements = { 1.2.3.4 timeout 1h expires 59m53s324ms }
}
}
[root@mail ~]# nft reset element inet filter updatesv4 {1.2.3.4}
BUG: unhandled op 8
nft: evaluate.c:1734: interval_set_eval: Assertion `0' failed.
Aborted (core dumped)
[root@mail ~]#
===
I am using:
- AlmaLinux release 9.5 (Teal Serval)
- Kernel 5.14.0-503.23.2.el9_5.x86_64
- nftables-1.0.9-3.el9.x86_64
I could not find any related bugs in bugzilla.
Is this a know bug? already fixed in newer version?
Should this have worked?
How can i help to debug/fix this?
Kind Regards
Michael Menge
--
--------------------------------------------------------------------------------
Michael Menge Tel.: (49) 7071 / 29-70316
Universität Tübingen Fax.: (49) 7071 / 29-5912
Zentrum für Datenverarbeitung mail:
michael.menge@xxxxxxxxxxxxxxxxxxxx
Wächterstraße 76
72074 Tübingen
