On Tue, Apr 09, 2019 at 12:59:36PM +0200, Pablo Neira Ayuso wrote:
> Restrict this, the brackets have explicit semantics since they tell the
> kernel to represent this value as a set, which is too costly. Set for
> one single element are overkill.
>
> # nft add rule x y ct state { established } counter
> Error: anonymous set with single element makes no sense, remove brackets
> wrapping this value
> add rule x y ct state { established } counter
> ^^^^^^^^^^^^^^^
>
> Instead, the preferred way to express this is:
>
> # nft add rule x y ct state established counter
>
> Signed-off-by: Pablo Neira Ayuso <[email protected]>
> ---
> I know this may break stuff outthere, but probably it's still early to
> fix this. If we keep allowing this and transparently turn this into a
> value, people will likely never understand the bracket semantics.
> Brackets are not just syntaxic sugar.
This patch is broken, will send v2, and I need to adapt tests after
this change. It's a bit of work but it is doable.
We also need a way not to fail on "define" (definition) that allows a
set with one single element, since this can be used from literal sets.
Will require a bit more code.
