set: Add set support for size specifier, add missing dynamic flag unmarshal #294
Conversation
There was a problem hiding this comment.
I would personally add an additional system test which checks if Size works ok in correlation with NFTA_SET_DESC_CONCAT. We work with this field when set uses a concatenation and this seems to be a part of the set element description https://git.netfilter.org/libnftnl/tree/include/linux/netfilter/nf_tables.h?id=be0bae0ad31b0adb506f96de083f52a2bd0d4fbf#n326.
I did a quick test on sample code and it seems to work ok. Here's sample code I've used
conn, err := nftables.New()
if err != nil {
panic(err)
}
conn.FlushRuleset()
table := &nftables.Table{
Family: nftables.TableFamilyIPv4,
Name: "filter",
}
conn.AddTable(table)
set := &nftables.Set{
Name: "test-set",
Table: table,
KeyType: nftables.MustConcatSetType(nftables.TypeIP6Addr, nftables.TypeInetService, nftables.TypeIP6Addr),
Dynamic: true,
Concatenation: true,
Size: 200,
}
if err := conn.AddSet(set, nil); err != nil {
panic(err)
}
if err := conn.Flush(); err != nil {
panic(err)
}There is also an example test here
Line 4036 in 85aee13
Otherwise implementation looks ok.
set_test.go
Outdated
| Size: 10, | ||
| Table: tbl, | ||
| KeyType: TypeIPAddr, | ||
| Timeout: time.Duration(30) * time.Second, |
There was a problem hiding this comment.
“Timeout: 30 * time.Second” please
There was a problem hiding this comment.
Fixed, with the commits related to Size property squashed. Please check: https://github.com/google/nftables/compare/28fb497ab8341973a1a19048089d983e5123f1f8..fcdf440964465db87aaceee41fd3fff74e44eb5e
Handle attribute NFTNL_SET_DESC_SIZE, as done in libnftnl: https://git.netfilter.org/libnftnl/tree/src/set.c#n424 Example: nft add set ip filter myset { type ipv4_addr\; size 65535\; flags dynamic\; }
Add support for set size specification: handle attribute
NFTNL_SET_DESC_SIZE, as done inlibnftnl: https://git.netfilter.org/libnftnl/tree/src/set.c#n424Example:
Also add missing unmarshal of
Dynamicflag (NFT_SET_EVAL).