On Wed, 12 Mar 2025, at 4:08 PM, Lars Noodén wrote:
> Hello,
>
> In NFTables, I have created a named set called 'bar' in the chain input
> in the table foo. I can add elements to the set manually,
>
> # nft add element ip foo bar { 192.168.2.2 }
>
> However, I am not able to guess the syntax to have a regular NFTables
> rule do the appending automatically. I've tried a lot of permutations
> of the following, but always with fatal errors,
>
> # nft add rule foo input tcp dport 22 counter add @bar { ip saddr }
> Error: Could not process rule: Operation not supported
> add rule foo input tcp dport 22 counter add @bar { ip saddr }
For the kernel to raise ENOTSUP does not indicate an error of syntax. The bytecode intended for the nftables VM will already have been compiled at this point.
I suspect that your set has been declared with the "interval" flag in effect, in which case updates from the packet path are not allowed. As far as I can tell, this constraint is undocumented.
--
Kerin Millar
