Add element in set when element already present.

Add element in set when element already present.

[Mikaël Fourrier]

Hi,

When I add an element in a set (same with maps) and the set already 
contains the element, the command fails with an error. Worse: I try to 
add multiple elements and at least one of these elements is already in 
the set, the command fails without adding any element. Why do you use 
this semantic? It would be more ergonomic if you could just add elements 
in a set without checking its content.

Have a good day,
Mikaël



Example:

```
# nft add set inet filter myset '{ type ipv4_addr; }'

# nft add element inet filter myset '{ 0.0.0.0 }'

# nft add element inet filter myset '{ 0.0.0.0 }'
<cmdline>:1:1-41: Error: Could not process rule: File exists
add element inet filter myset { 0.0.0.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft add element inet filter myset '{ 0.0.0.0, 1.1.1.1 }'
<cmdline>:1:1-50: Error: Could not process rule: File exists
add element inet filter myset { 0.0.0.0, 1.1.1.1 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft list set inet filter myset
     set myset {
         type ipv4_addr
         elements = { 0.0.0.0}
     }

```

Expected: no error and the set contains { 0.0.0.0, 1.1.1.1}.

Re: Add element in set when element already present.

[Pablo Neira Ayuso]

Hi,

On Tue, Aug 23, 2016 at 06:51:32PM +0200, Mikaël Fourrier wrote:
> Hi,
> 
> When I add an element in a set (same with maps) and the set already contains
> the element, the command fails with an error. Worse: I try to add multiple
> elements and at least one of these elements is already in the set, the
> command fails without adding any element. Why do you use this semantic? It
> would be more ergonomic if you could just add elements in a set without
> checking its content.

Just sent a patchset to address this. Two for kernel:

http://patchwork.ozlabs.org/patch/662322/
http://patchwork.ozlabs.org/patch/662323/

Four for userspace (include two tests).

http://patchwork.ozlabs.org/patch/662333/
http://patchwork.ozlabs.org/patch/662331/
http://patchwork.ozlabs.org/patch/662332/
http://patchwork.ozlabs.org/patch/662330/

        # nft add set inet filter myset { type ipv4_addr\; }
        # nft add element inet filter myset { 0.0.0.0 }
        # nft add element inet filter myset { 0.0.0.0 }
        # nft create element inet filter myset { 0.0.0.0 }
        <cmdline>:1:1-45: Error: Could not process rule: File exists
        create element inet filter myset { 0.0.0.0 }
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The 'create' command complains if the element exists, the 'add'
command returns success if it already exists.

This basically provides the same semantics that we have already in
other objects.

Re: Add element in set when element already present.

[Yamakaky]

Wow, that was fast!

I forgot to tell, but if I remember correctly there is the same problem 
for maps.

Re: Add element in set when element already present.

[Pablo Neira Ayuso]

On Wed, Aug 24, 2016 at 05:25:54PM +0200, Yamakaky wrote:
[...]
> I forgot to tell, but if I remember correctly there is the same problem for
> maps.

This will also work with maps:

# nft add table x
# nft add map x y { type ipv4_addr : ipv4_addr\; }
# nft add element x y { 1.1.1.1 : 2.2.2.2 }
# nft add element x y { 1.1.1.1 : 2.2.2.2 }
# nft create element x y { 1.1.1.1 : 2.2.2.2 }
<cmdline>:1:1-41: Error: Could not process rule: File exists
create element x y { 1.1.1.1 : 2.2.2.2 }

If you specify a different right hand side on the mapping, this hits
EBUSY at this moment if it differs from the initial value:

# nft add element x y { 1.1.1.1 : 2.2.2.3 }
<cmdline>:1:1-38: Error: Could not process rule: Device or resource busy
add element x y { 1.1.1.1 : 2.2.2.3 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

For sets with timeouts, it should be possible to support timeout
refresh in a follow up patch too.

Thanks!

Re: Add element in set when element already present.

[Yamakaky]

Wow, cool! Any idea about when it could be merged?

Re: Add element in set when element already present.

[Yamakaky]

> I think that we can rely on the fact that set will not change, but see:
> https://en.wikipedia.org/wiki/Multiset

I'm sorry, I don't understand why you say that? I don't want a multiset 
semantic, only a set semantic.

BTW, the error "File exists" is not really helpful.

Re: Add element in set when element already present.

[Yamakaky]

> Hi, The current behaviour corresponds to the mathematical definition
> of a set.

Which set operator acts like the current behavior? It seams to me that
union (add) and complement (remove) would be more ergonomic. For
example, a set could be used for banned IPs. Plus it's what every stdlib
does anyway. Is there something useful I miss with the current behavior?

> But you could always write a simple wrapper which feeds the elements
> one by one to "nft add element" and ignores the error messages for
> the duplicates.

That's what I did, but it's not very clean.

Re: Add element in set when element already present.

[Roger Price]

On Tue, 23 Aug 2016, Yamakaky wrote:

> When I add an element in a set (same with maps) and the set already 
> contains the element, the command fails with an error.

Hi, The current behaviour corresponds to the mathematical definition of a 
set.  But you could always write a simple wrapper which feeds the elements 
one by one to "nft add element" and ignores the error messages for the 
duplicates.

> Expected: no error and the set contains { 0.0.0.0, 1.1.1.1}.

The simple wrapper would have your expected behaviour. What would be 
helpful is a specific return code from "nft add element", and from ipset 
for the same error.

Roger

Add element in set when element already present.

[Yamakaky]

Hi,

When I add an element in a set (same with maps) and the set already 
contains the element, the command fails with an error. Worse: I try to 
add multiple elements and at least one of these elements is already in 
the set, the command fails without adding any element. Why do you use 
this semantic? It would be more ergonomic if you could just add elements 
in a set without checking its content.

Have a good day,
Mikaël


Example:

```
# nft add set inet filter myset '{ type ipv4_addr; }'

# nft add element inet filter myset '{ 0.0.0.0 }'

# nft add element inet filter myset '{ 0.0.0.0 }'
<cmdline>:1:1-41: Error: Could not process rule: File exists
add element inet filter myset { 0.0.0.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft add element inet filter myset '{ 0.0.0.0, 1.1.1.1 }'
<cmdline>:1:1-50: Error: Could not process rule: File exists
add element inet filter myset { 0.0.0.0, 1.1.1.1 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft list set inet filter myset
     set myset {
         type ipv4_addr
         elements = { 0.0.0.0}
     }

```

Expected: no error and the set contains { 0.0.0.0, 1.1.1.1}.

Re: Add element in set when element already present.

[Mikaël Fourrier]

It's the same idea with maps, BTW

(sorry if double post, network problems)

Re: Add element in set when element already present.

[Mikaël Fourrier]

The same applies to maps, BTW.

Add element in set when element already present.

[Mikaël Fourrier]

Hi,

When I add an element in a set and the set already contains the element, 
the command fails with an error. Worse: I try to add multiple elements 
and at least one of these elements is already in the set, the command 
fails without adding any element. Why do you use this semantic? It would 
be more ergonomic if you could just add elements in a set without 
checking its content.

Have a good day,
Mikaël



Example:

```
# nft add set inet filter myset '{ type ipv4_addr; }'

# nft add element inet filter myset '{ 0.0.0.0 }'

# nft add element inet filter myset '{ 0.0.0.0 }'
<cmdline>:1:1-41: Error: Could not process rule: File exists
add element inet filter myset { 0.0.0.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft add element inet filter myset '{ 0.0.0.0, 1.1.1.1 }'
<cmdline>:1:1-50: Error: Could not process rule: File exists
add element inet filter myset { 0.0.0.0, 1.1.1.1 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# nft list set inet filter myset
	set myset {
		type ipv4_addr
		elements = { 0.0.0.0}
	}

```

Expected: no error and the set contains { 0.0.0.0, 1.1.1.1}.