On Tue, Apr 15, 2025 at 04:19:43PM +0000, Slavko wrote:
> On 15. apríla 2025 15:54:15 UTC, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >On Tue, Apr 15, 2025 at 03:22:52PM +0000, Slavko wrote:
>
> >> Now i add one network, and one or two seconds later second
> >> network::
> >>
> >> nft add element inet filter testset "{ 192.168.1.0/24 }"
> >> sleep 1
> >> nft add element inet filter testset "{ 192.168.2.0/24 }"
> >>
>
> >After this update, two different intervals with different timeouts are
> >added.
>
> OK, that is good, and IMO expected.
>
> >> Another example is to add subnet of existing element, currently
> >> the new subnet is not added (or is merged into existing without
> >> timeout change). How it will work with this new behavior? Will be
> >> both in set? Or error happens? Or something other?
> >
> >After this update, with subset, an error will be reported if the
> >interval overlaps.
>
> That is not good, it will break my current use case -- set filled
> from BGP, as from time to time networks of different ASNs
> overlaps. In really, i use auto-merge in this set just due this...
>
> I hope, that in one big atomic add, all timeouts will be the same
> (set is flushed in this atomic step), but one cannot do it in cycle
> (with separate add), as even ms are compared...
Scenario 1) 192.168.2.0/24 exists
192.168.2.10 is added with timeout X.
then, refresh 192.168.2.0/24 with new timeout X.
Scenario 2) 192.168.2.0/24 exists
192.168.3.0/24 is added
then, refresh 192.168.2.0-192.168.3.255 with new timeout X.
Otherwise, auto-merge becomes of limited use with timers.
Let me spin over this again and get back to you, thanks for you
feedback.
