From d79911c7ad40645ab21eaadf09c281fe998e3769 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 17 Jun 2022 10:13:34 +0200 Subject: [PATCH] fw4: support sets with timeout capability but without default expiry Configure the set timeout flag explicitly and do not rely on nftables inferring it from the defualt timeout value. This allows treating uci `option timeout 0` specially, means enabling the timeout capability flag on a set but do not emit a `timeout` statement. Signed-off-by: Jo-Philipp Wich Tested-by: Stijn Tintel --- root/usr/share/firewall4/templates/ruleset.uc | 6 ++++-- root/usr/share/ucode/fw4.uc | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index a09cb1f..eaa1f04 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -53,13 +53,15 @@ table inet fw4 { {% if (set.maxelem > 0): %} size {{ set.maxelem }} {% endif %} -{% if (set.timeout >= 0): %} +{% if (set.timeout > 0): %} timeout {{ set.timeout }}s {% endif %} {% if (set.interval): %} - flags interval auto-merge {% endif %} +{% if (set.flags): %} + flags {{ join(',', set.flags) }} +{% endif %} {% fw4.print_setentries(set) %} } diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 85456c9..e6bd365 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -3219,6 +3219,12 @@ return { interval: interval }; + if (s.interval) + push(s.flags ??= [], 'interval'); + + if (s.timeout >= 0) + push(s.flags ??= [], 'timeout'); + s.entries = filter(map(ipset.entry, (e) => { let v = this.parse_ipsetentry(e, s); -- 2.30.2