[PATCH nft] doc: fix inconsistency in set statement documentation.

[PATCH nft] doc: fix inconsistency in set statement documentation.

[Jeremy Sowden]

The description of the set statement asserts that the set must have been
created with the "dynamic" flag.  However, this is not in fact the case,
and the assertion is contradicted by the following example, in which the
set is created with just the "timeout" flag (which suffices to ensure
that the kernel will create a set which can be updated).  Remove the
assertion.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 doc/statements.txt | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/doc/statements.txt b/doc/statements.txt
index e17068a8a04b..847656ac7601 100644
--- a/doc/statements.txt
+++ b/doc/statements.txt
@@ -669,10 +669,9 @@ SET STATEMENT
 ~~~~~~~~~~~~~
 The set statement is used to dynamically add or update elements in a set from
 the packet path. The set setname must already exist in the given table and must
-have been created with the dynamic flag. Furthermore, these sets must specify
-both a maximum set size (to prevent memory exhaustion) and a timeout (so that
-number of entries in set will not grow indefinitely). The set statement can be
-used to e.g. create dynamic blacklists.
+specify both a maximum set size (to prevent memory exhaustion) and a timeout (so
+that number of entries in set will not grow indefinitely). The set statement can
+be used to e.g. create dynamic blacklists.
 
 [verse]
 {*add* | *update*} *@*'setname' *{* 'expression' [*timeout* 'timeout'] [*comment* 'string'] *}*
-- 
2.24.0

Re: [PATCH nft] doc: fix inconsistency in set statement documentation.

[Pablo Neira Ayuso]

On Mon, Nov 25, 2019 at 08:54:50PM +0000, Jeremy Sowden wrote:
> The description of the set statement asserts that the set must have been
> created with the "dynamic" flag.  However, this is not in fact the case,
> and the assertion is contradicted by the following example, in which the
> set is created with just the "timeout" flag (which suffices to ensure
> that the kernel will create a set which can be updated).  Remove the
> assertion.

The timeout implies dynamic.

Without the timeout flag, you need the dynamic flag.

Do you want to keep supporting this scenario or probably this should
disallow set updates from the packet path with no timeout.

Re: [PATCH nft] doc: fix inconsistency in set statement documentation.

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 1056 bytes --]

On 2019-11-25, at 22:30:43 +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 25, 2019 at 08:54:50PM +0000, Jeremy Sowden wrote:
> > The description of the set statement asserts that the set must have
> > been created with the "dynamic" flag.  However, this is not in fact
> > the case, and the assertion is contradicted by the following
> > example, in which the set is created with just the "timeout" flag
> > (which suffices to ensure that the kernel will create a set which
> > can be updated).  Remove the assertion.
>
> The timeout implies dynamic.
>
> Without the timeout flag, you need the dynamic flag.
>
> Do you want to keep supporting this scenario or probably this should
> disallow set updates from the packet path with no timeout.

Having gone back and had another look at the code, I see that I missed
(or forgot) the fact one can include stateful expressions in set state-
ments, and without the "dnyamic" flag these will not work.  Thus drop-
ping the reference to it from the documentation is the wrong thing to
do.

I'll redo the patch.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]