diff options
| author | Florian Westphal <fw@strlen.de> | 2022-01-11 12:08:59 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2022-01-11 12:35:07 +0100 |
| commit | 8d443adfcc8c19effd6be9a9c903ee96e374f2e8 (patch) | |
| tree | 16363b80397ce8e13873983f44896621497a3312 /tests/shell/testcases/sets/dumps | |
| parent | 07af4429241c9832a613cb8620331ac54257d9df (diff) | |
evaluate: attempt to set_eval flag if dynamic updates requested
When passing no upper size limit, the dynset expression forces
an internal 64k upperlimit.
In some cases, this can result in 'nft -f' to restore the ruleset.
Avoid this by always setting the EVAL flag on a set definition when
we encounter packet-path update attempt in the batch.
Reported-by: Yi Chen <yiche@redhat.com>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'tests/shell/testcases/sets/dumps')
| -rw-r--r-- | tests/shell/testcases/sets/dumps/dynset_missing.nft | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/tests/shell/testcases/sets/dumps/dynset_missing.nft b/tests/shell/testcases/sets/dumps/dynset_missing.nft new file mode 100644 index 00000000..6c8ed323 --- /dev/null +++ b/tests/shell/testcases/sets/dumps/dynset_missing.nft @@ -0,0 +1,12 @@ +table ip test { + set dlist { + type ipv4_addr + size 65535 + flags dynamic + } + + chain output { + type filter hook output priority filter; policy accept; + udp dport 1234 update @dlist { ip daddr } counter packets 0 bytes 0 + } +} |