Re: [PATCH nft v3 0/2] Add option to omit sets elements from listings.

[Jeremy Sowden <jeremy@azazel.net>]

[-- Attachment #1: Type: text/plain, Size: 3044 bytes --]

On 2019-10-22, at 09:41:56 +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 21, 2019 at 10:49:20PM +0100, Jeremy Sowden wrote:
> > From https://bugzilla.netfilter.org/show_bug.cgi?id=1374:
> >
> >   Listing an entire ruleset or a table with 'nft list ...' will also
> >   print all elements of all set definitions within the ruleset or
> >   requested table. Seeing the full set contents is not often
> >   necessary especially when requesting to see someone's ruleset for
> >   help and support purposes. It would be helpful if there was an
> >   option/flag for the nft tool to suppress set contents when
> >   listing.
> >
> > This patch series implements the request by adding a new option:
> > `-t`, `--terse`.
>
> Series applied, thanks Jeremy.

Cheers.

While I was testing this, I noticed what appears to be an error in the
documentation.  From the man-page:

  SET STATEMENT
    The set statement is used to dynamically add or update elements in a
    set from the packet path. The set setname must already exist in the
    given table and must have been created with the dynamic flag.
    Furthermore, these sets must specify both a maximum set size (to
    prevent memory exhaustion) and a timeout (so that number of entries
    in set will not grow indefinitely). The set statement can be used to
    e.g. create dynamic blacklists.

In the following example it then defines a set as follows:

  nft add set ip filter blackhole \
    { type ipv4_addr; flags timeout; size 65536; }

There is no `dynamic` flag.  In my testing, I also omitted the `dynamic`
flag by accident, and inadvertently verified that it is indeed not neces-
sary.  AFAICT, from a far from thorough investigation, it (or rather
`NFT_SET_EVAL`) is only meaningful for the anonymous sets implicitly
created by meter definitions such as this from the same example:

  nft add rule ip filter input tcp flags syn tcp dport ssh \
    meter flood size 128000 \
    { ip saddr timeout 10s limit rate over 10/second } \
    add @blackhole { ip saddr timeout 1m } drop

Another related quirk (I've used the arp family in this example 'cause
it's empty on my dev box):

  # nft add table arp t
  # nft add set arp t s \
  > '{ type ipv4_addr ; size 256 ; flags dynamic,timeout; }'
  # nft list sets table arp t
  table arp t {
          set s {
                  type ipv4_addr
                  size 256
                  flags dynamic,timeout
          }
  }
  # nft list meters arp
  table arp t {
          set s {
                  type ipv4_addr
                  size 256
                  flags dynamic,timeout
          }
  }
  # nft list meter arp t s
  Error: No such file or directory
  list meter arp t s
                   ^
  # nft list set arp t s
  table arp t {
          set s {
                  type ipv4_addr
                  size 256
                  flags dynamic,timeout
          }
  }

> BTW, not your fault, but it seems libnftables documentation is missing
> an update for the (1 << 10) flag.

Yes, I noticed that.  I'll go back and fix it.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]