]> git.ipfire.org Git - thirdparty/nftables.git/commit
projects / thirdparty / nftables.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 07af442) | patch
evaluate: attempt to set_eval flag if dynamic updates requested
authorFlorian Westphal <fw@strlen.de>
Tue, 11 Jan 2022 11:08:59 +0000 (12:08 +0100)
committerFlorian Westphal <fw@strlen.de>
Tue, 11 Jan 2022 11:35:07 +0000 (12:35 +0100)
commit8d443adfcc8c19effd6be9a9c903ee96e374f2e8
tree16363b80397ce8e13873983f44896621497a3312tree | snapshot
parent07af4429241c9832a613cb8620331ac54257d9dfcommit | diff
evaluate: attempt to set_eval flag if dynamic updates requested

When passing no upper size limit, the dynset expression forces
an internal 64k upperlimit.

In some cases, this can result in 'nft -f' to restore the ruleset.
Avoid this by always setting the EVAL flag on a set definition when
we encounter packet-path update attempt in the batch.

Reported-by: Yi Chen <yiche@redhat.com>
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
src/evaluate.c diff | blob | blame | history
tests/shell/testcases/sets/dumps/dynset_missing.nft [new file with mode: 0644] blob
tests/shell/testcases/sets/dynset_missing [new file with mode: 0755] blob
Mirror of git://git.netfilter.org/nftables