On Tue, Apr 15, 2025 at 03:22:52PM +0000, Slavko wrote: > On 15. apríla 2025 14:39:20 UTC, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > >https://git.netfilter.org/nftables/commit/?id=da0bac050c8b2588242727f9915a1ea8bc48ceb2 > > Thanks, but i still do not understand, consider this set: > > table inet filter { > set testset { > type ipv4_addr > flags interval,timeout > auto-merge > timeout 1m > } > } > > Now i add one network, and one or two seconds later second > network:: > > nft add element inet filter testset "{ 192.168.1.0/24 }" > sleep 1 > nft add element inet filter testset "{ 192.168.2.0/24 }" > > Currently (1.0.6), they are merged with timeout reset:: > > table inet filter { > set testset { > ... > elements = { 192.168.1.0-192.168.2.255 expires XY } > } > } > > What will be result with new behavior? Will be both (not merged) > in set, each with different timeout/expires? After this update, two different intervals with different timeouts are added. > Another example is to add subnet of existing element, currently > the new subnet is not added (or is merged into existing without > timeout change). How it will work with this new behavior? Will be > both in set? Or error happens? Or something other? After this update, with subset, an error will be reported if the interval overlaps.
