From: Florian Westphal <fw@strlen.de>
To: Michael Menge <michael.menge@zdv.uni-tuebingen.de>
Cc: netfilter@vger.kernel.org
Subject: Re: nft reset element crashes with error BUG: unhandled op 8
Date: Fri, 28 Feb 2025 15:25:07 +0100 [thread overview]
Message-ID: <20250228142507.GA24116@breakpoint.cc> (raw)
In-Reply-To: <20250228151158.Horde.S7bxprjzrKb3P7rZjqTDZz_@webmail.uni-tuebingen.de>
Michael Menge <michael.menge@zdv.uni-tuebingen.de> wrote:
> i want to use a named set in nftables to to restrict outgoing http(s)
> connections only to
> update servers. As the update servers are behind CDNs with multiple changing
> IPs i need
> to automatically update the named set.
>
> I discovered that "reset element" was added to the nft command which should
> enable me to reset
> the timeout without removing the IPs already in the set, and to keep a clean
> list of IPs.
No, you can update existing element timeouts:
nft add element inet filter updatesv4 {1.2.3.4 timeout 1h expires 1h}
reset will not affect the timeout, only quota or counters.
> Fetch list of IPs, Call
> "nft add element inet filter updatesv4 {a.b.c.d timeout 1h}" and
> "nft reset element inet filter updatesv4 {a.b.c.d}" for each IP
>
> (I know that i can use multiple IPs, in the add and reset element command)
>
> In my test I triggered the following error:
> ===
> [root@mail ~]# nft add element inet filter updatesv4 {1.2.3.4 timeout 1h}
> [root@mail ~]# nft list set inet filter updatesv4
> table inet filter {
> set updatesv4 {
> type ipv4_addr
> flags interval,timeout
> elements = { 1.2.3.4 timeout 1h expires 59m53s324ms }
> }
> }
> [root@mail ~]# nft reset element inet filter updatesv4 {1.2.3.4}
> BUG: unhandled op 8
> nft: evaluate.c:1734: interval_set_eval: Assertion `0' failed.
> Aborted (core dumped)
This should be the right fix, I will submit this formally later:
diff --git a/src/evaluate.c b/src/evaluate.c
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1946,6 +1946,7 @@ static int interval_set_eval(struct eval_ctx *ctx, struct set *set,
ctx->nft->debug_mask);
break;
case CMD_GET:
+ case CMD_RESET:
break;
default:
BUG("unhandled op %d\n", ctx->cmd->op);
next prev parent reply other threads:[~2025-02-28 14:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-28 14:11 nft reset element crashes with error BUG: unhandled op 8 Michael Menge
2025-02-28 14:25 ` Florian Westphal [this message]
2025-02-28 15:16 ` Michael Menge
2025-03-03 15:50 ` Michael Menge
2025-03-03 22:52 ` Pablo Neira Ayuso
2025-03-05 22:22 ` Pablo Neira Ayuso
2025-03-06 2:46 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250228142507.GA24116@breakpoint.cc \
--to=fw@strlen.de \
--cc=michael.menge@zdv.uni-tuebingen.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.