From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Slavko <linux@slavino.sk>
Cc: netfilter ML <netfilter@vger.kernel.org>
Subject: Re: [ANNOUNCE] nftables 1.1.2 release
Date: Tue, 15 Apr 2025 18:28:03 +0200 [thread overview]
Message-ID: <Z_6JE714_89IOzb3@calendula> (raw)
In-Reply-To: <111EC295-F2A7-4418-A913-8BA847B19666@slavino.sk>
On Tue, Apr 15, 2025 at 04:19:43PM +0000, Slavko wrote:
> On 15. apríla 2025 15:54:15 UTC, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >On Tue, Apr 15, 2025 at 03:22:52PM +0000, Slavko wrote:
>
> >> Now i add one network, and one or two seconds later second
> >> network::
> >>
> >> nft add element inet filter testset "{ 192.168.1.0/24 }"
> >> sleep 1
> >> nft add element inet filter testset "{ 192.168.2.0/24 }"
> >>
>
> >After this update, two different intervals with different timeouts are
> >added.
>
> OK, that is good, and IMO expected.
>
> >> Another example is to add subnet of existing element, currently
> >> the new subnet is not added (or is merged into existing without
> >> timeout change). How it will work with this new behavior? Will be
> >> both in set? Or error happens? Or something other?
> >
> >After this update, with subset, an error will be reported if the
> >interval overlaps.
>
> That is not good, it will break my current use case -- set filled
> from BGP, as from time to time networks of different ASNs
> overlaps. In really, i use auto-merge in this set just due this...
>
> I hope, that in one big atomic add, all timeouts will be the same
> (set is flushed in this atomic step), but one cannot do it in cycle
> (with separate add), as even ms are compared...
Scenario 1) 192.168.2.0/24 exists
192.168.2.10 is added with timeout X.
then, refresh 192.168.2.0/24 with new timeout X.
Scenario 2) 192.168.2.0/24 exists
192.168.3.0/24 is added
then, refresh 192.168.2.0-192.168.3.255 with new timeout X.
Otherwise, auto-merge becomes of limited use with timers.
Let me spin over this again and get back to you, thanks for you
feedback.
next prev parent reply other threads:[~2025-04-15 16:28 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-14 17:49 [ANNOUNCE] nftables 1.1.2 release Pablo Neira Ayuso
2025-04-14 20:19 ` Jan Engelhardt
2025-04-14 20:32 ` Pablo Neira Ayuso
2025-04-15 7:58 ` Slavko
2025-04-15 14:39 ` Pablo Neira Ayuso
2025-04-15 15:22 ` Slavko
2025-04-15 15:54 ` Pablo Neira Ayuso
2025-04-15 16:19 ` Slavko
2025-04-15 16:28 ` Pablo Neira Ayuso [this message]
2025-04-16 10:02 ` Slavko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z_6JE714_89IOzb3@calendula \
--to=pablo@netfilter.org \
--cc=linux@slavino.sk \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.