Re: Dynamically appending addresses to a named set

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Wed, Mar 12, 2025 at 07:44:25PM +0000, Kerin Millar wrote:
> On Wed, 12 Mar 2025, at 4:08 PM, Lars Noodén wrote:
> > Hello,
> >
> > In NFTables, I have created a named set called 'bar' in the chain input
> > in the table foo.  I can add elements to the set manually,
> >
> > # nft add element ip foo bar { 192.168.2.2 }
> >
> > However, I am not able to guess the syntax to have a regular NFTables
> > rule do the appending automatically.  I've tried a lot of permutations
> > of the following, but always with fatal errors,
> >
> > # nft add rule foo input tcp dport 22 counter add @bar { ip saddr }
> > Error: Could not process rule: Operation not supported
> > add rule foo input tcp dport 22 counter add @bar { ip saddr }
> 
> For the kernel to raise ENOTSUP does not indicate an error of syntax. The bytecode intended for the nftables VM will already have been compiled at this point.
> 
> I suspect that your set has been declared with the "interval" flag in effect, in which case updates from the packet path are not allowed. As far as I can tell, this constraint is undocumented.

Maybe Lars forgot to set on the flags dynamic;

Where is you set declaration?