Configure the set timeout flag explicitly and do not rely on nftables
inferring it from the defualt timeout value.
This allows treating uci `option timeout 0` specially, means enabling
the timeout capability flag on a set but do not emit a `timeout`
statement.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
{% if (set.maxelem > 0): %}
size {{ set.maxelem }}
{% endif %}
-{% if (set.timeout >= 0): %}
+{% if (set.timeout > 0): %}
timeout {{ set.timeout }}s
{% endif %}
{% if (set.interval): %}
- flags interval
auto-merge
{% endif %}
+{% if (set.flags): %}
+ flags {{ join(',', set.flags) }}
+{% endif %}
{% fw4.print_setentries(set) %}
}
interval: interval
};
+ if (s.interval)
+ push(s.flags ??= [], 'interval');
+
+ if (s.timeout >= 0)
+ push(s.flags ??= [], 'timeout');
+
s.entries = filter(map(ipset.entry, (e) => {
let v = this.parse_ipsetentry(e, s);
projects / project / firewall4.git / commitdiff