Michael Menge <michael.menge@xxxxxxxxxxxxxxxxxxxx> wrote:
> i want to use a named set in nftables to to restrict outgoing http(s)
> connections only to
> update servers. As the update servers are behind CDNs with multiple changing
> IPs i need
> to automatically update the named set.
>
> I discovered that "reset element" was added to the nft command which should
> enable me to reset
> the timeout without removing the IPs already in the set, and to keep a clean
> list of IPs.
No, you can update existing element timeouts:
nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h}
reset will not affect the timeout, only quota or counters.
> Fetch list of IPs, Call
> "nft add element inet filter updatesv4 {a.b.c.d timeout 1h}" and
> "nft reset element inet filter updatesv4 {a.b.c.d}" for each IP
>
> (I know that i can use multiple IPs, in the add and reset element command)
>
> In my test I triggered the following error:
> ===
> [root@mail ~]# nft add element inet filter updatesv4 {1.2.3.4 timeout 1h}
> [root@mail ~]# nft list set inet filter updatesv4
> table inet filter {
> set updatesv4 {
> type ipv4_addr
> flags interval,timeout
> elements = { 1.2.3.4 timeout 1h expires 59m53s324ms }
> }
> }
> [root@mail ~]# nft reset element inet filter updatesv4 {1.2.3.4}
> BUG: unhandled op 8
> nft: evaluate.c:1734: interval_set_eval: Assertion `0' failed.
> Aborted (core dumped)
This should be the right fix, I will submit this formally later:
diff --git a/src/evaluate.c b/src/evaluate.c
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1946,6 +1946,7 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set,
ctx->nft->debug_mask);
break;
case CMD_GET:
+ case CMD_RESET:
break;
default:
BUG("unhandled op %d\n", ctx->cmd->op);
